Appearance
PuTTY
Validate PuTTY SSH client behaviors under the Secure Sandbox.
Objectives
- Enforce network controls for SSH connections.
- Verify clipboard boundaries for terminal sessions.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
- PuTTY installed.
Controls Under Test
runtime.networking.egressDefaultAction, proxy enforcement.runtime.dataMotion.rules[]for clipboard.
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-TOOL-PUTTY-01 | NET-EGRESS-01 | SSH to Disallowed IP | Open PuTTY; connect to <IP>. | Connection fails (timeout or proxy deny). |
| SCEN-TOOL-PUTTY-02 | NET-EGRESS-10 | SSH via Proxy | Connect to allowlisted host via the designated proxy. | Connection succeeds only when proxy identity/pinning is valid; traffic traverses the proxy; on mismatch, TLS handshake fails. Audit includes proxyEnforced: true and reason when denied. |
| SCEN-TOOL-PUTTY-03 | DM-CLIP-01 | Clipboard Outbound | Select text in PuTTY terminal; paste to host. | Denied/processed per policy. |
| SCEN-TOOL-PUTTY-04 | NET-EGRESS-01, NET-EGRESS-12 | Telnet to disallowed host | Use PuTTY Telnet to connect to 127.0.0.1 or a device IP without allow rules. | Connection fails (timeout/deny); CONNECT or direct access not permitted. |
| SCEN-TOOL-PUTTY-05 | NET-ISOLATE-04 | Telnet within named network | Start a Telnet server inside a sandbox on --network=test; from another sandbox on the same named segment, connect with PuTTY Telnet. | Connection succeeds within the same named segment; audit shows action: allow; host or different segment remains denied. |
Evidence Requirements
networkevents: protocol (tcp/22), destination, action.dataMotionevents:channel: "clipboard".
