It's a Feature, Not a Bug: Secure and Auditable State Rollback for Confidential Cloud Applications

TL;DR

Rebound is a security framework that allows legitimate rollbacks in cloud applications while preventing replay and rollback attacks, ensuring integrity and auditability.

Contribution

It introduces Rebound, enabling secure, authorized rollbacks with a reference monitor, atomic state updates, and tamper-evident logging, balancing security and operational flexibility.

Findings

Rebound effectively prevents replay and rollback attacks.

It supports policy-based legitimate rollbacks for cloud applications.

Low overhead demonstrated in GitLab CI deployment workflows.

Abstract

Replay and rollback attacks threaten cloud application integrity by reintroducing authentic yet stale data through an untrusted storage interface to compromise application decision-making. Prior security frameworks mitigate these attacks by enforcing forward-only state transitions (state continuity) with hardware-backed mechanisms, but they categorically treat all rollback as malicious and thus preclude legitimate rollbacks used for operational recovery from corruption or misconfiguration. We present Rebound, a general-purpose security framework that preserves rollback protection while enabling policy-authorized legitimate rollbacks of application binaries, configuration, and data. Key to Rebound is a reference monitor that mediates state transitions, enforces authorization policy, guarantees atomicity of state updates and rollbacks, and emits a tamper-evident log that provides transparency to applications and auditors. We analyze Rebound's security properties and show through an application case study -- with software deployment workflows in GitLab CI -- that it enables robust control over binary, configuration, and raw data versioning with low end-to-end overhead.