R ollbaccine : Herd Immunity against Storage Rollback Attacks in TEEs

Today, users can ''lift-and-shift'' unmodified applications into modern, VM-based Trusted Execution Environments (TEEs) in order to gain hardware-based security guarantees. However, TEEs do not protect applications against disk rollback attacks, where persistent storage can be reverted to an earlier state after a crash; existing rollback resistance solutions either only support a subset of applications or require code modification. Our key insight is that restoring disk consistency after a rollback attack guarantees rollback resistance for any application. We present R ollbaccine , a device mapper that provides automatic rollback resistance for all applications by provably preserving disk consistency. R ollbaccine intercepts and replicates writes to disk, restores lost state from backups during recovery, and minimizes overheads by taking advantage of the weak, multi-threaded semantics of disk operations. R ollbaccine performs on-par with state-of-the-art, non-automatic rollback resistant solutions; in fact, across benchmarks over PostgreSQL, HDFS, and two file systems (ext4 and xfs), R ollbaccine adds only 19% overhead, except for the fsync-heavy Filebench Varmail.