Skip to content

PuTTY

Validate PuTTY SSH client behaviors under the Secure Sandbox.

Objectives

  • Enforce network controls for SSH connections.
  • Verify clipboard boundaries for terminal sessions.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • PuTTY installed.

Controls Under Test

  • runtime.networking.egressDefaultAction, proxy enforcement.
  • runtime.dataMotion.rules[] for clipboard.

Test Scenarios

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-TOOL-PUTTY-01NET-EGRESS-01SSH to Disallowed IPOpen PuTTY; connect to <IP>.Connection fails (timeout or proxy deny).
SCEN-TOOL-PUTTY-02NET-EGRESS-10SSH via ProxyConnect to allowlisted host via the designated proxy.Connection succeeds only when proxy identity/pinning is valid; traffic traverses the proxy; on mismatch, TLS handshake fails. Audit includes proxyEnforced: true and reason when denied.
SCEN-TOOL-PUTTY-03DM-CLIP-01Clipboard OutboundSelect text in PuTTY terminal; paste to host.Denied/processed per policy.
SCEN-TOOL-PUTTY-04NET-EGRESS-01, NET-EGRESS-12Telnet to disallowed hostUse PuTTY Telnet to connect to 127.0.0.1 or a device IP without allow rules.Connection fails (timeout/deny); CONNECT or direct access not permitted.
SCEN-TOOL-PUTTY-05NET-ISOLATE-04Telnet within named networkStart a Telnet server inside a sandbox on --network=test; from another sandbox on the same named segment, connect with PuTTY Telnet.Connection succeeds within the same named segment; audit shows action: allow; host or different segment remains denied.

Evidence Requirements

  • network events: protocol (tcp/22), destination, action.
  • dataMotion events: channel: "clipboard".