Skip to content

Mounted Drives

Validate that saving to host drive letters and NTFS mount points does not leak data out of the Secure Sandbox, including volumes present before launch and volumes added after launch.

Objectives

  • Enforce write redirection/denial for host drive letters (for example, C:, D:, E:).
  • Prove containment for hot‑added volumes and NTFS mount points.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • Optional: additional volumes created via Disk Management; NTFS mount points configured on C:\NTFSMount-*.

Controls Under Test

  • Storage isolation and overlay write redirection.

Test Scenarios

IDCanonical IDsScenarioProcedureExpected Outcome
SCEN-SYSTEM-MOUNTED-DRIVES-01HARD-FILES-01, HARD-FILESBYPASS-02Mapped drive letter to UNCMap Y: to \\\\localhost\\C$ from the host while app is running; from the sandboxed app, save to Y:.Denied or virtualized to overlay/context; SMB/UNC egress remains blocked. Audit fileOp deny/virtualize with attempted mapped path.
SCEN-SYSTEM-MOUNTED-DRIVES-02HARD-FILES-01Pre‑launch drive letters (D:/E:)With D:/E: present before launch, attempt Save As to those drives.Writes are denied or virtualized to sandbox overlay; no host write. Audit fileOp deny/virtualize.
SCEN-SYSTEM-MOUNTED-DRIVES-03HARD-HOST-05Hot‑added drive letters (D:/E:)Launch app; then add a new volume/partition. Attempt Save As to the new drive.Writes are denied or virtualized; hot‑add handled consistently. Audit fileOp deny/virtualize.
SCEN-SYSTEM-MOUNTED-DRIVES-04HARD-FILESBYPASS-01, HARD-FILESBYPASS-09NTFS mount points (before/after launch)Create C:\\NTFSMount-BeforeLaunch before starting the app and C:\\NTFSMount-AfterLaunch while app is running; attempt to save inside those folders.Writes denied or virtualized; no leakage via mount-point indirection. Audit fileOp deny/virtualize with attempted paths.

Evidence Requirements

  • fileOp events showing action: "deny"|"virtualize", attempted path, rule.id, integrity.hash.