Replay and rollback attacks threaten cloud application integrity by reintroducing authentic yet stale data through an untrusted storage interface to compromise application decision-making. Prior security frameworks mitigate these attacks by enforcing forward-only state transitions (state continuity) with hardware-backed mechanisms, but they categorically treat all rollback as malicious and thus preclude legitimate rollbacks used for operational recovery from corruption or misconfiguration. We present Rebound, a general-purpose security framework that preserves rollback protection while enabling policy-authorized legitimate rollbacks of application binaries, configuration, and data. Key to Rebound is a reference monitor that mediates state transitions, enforces authorization policy, guarantees atomicity of state updates and rollbacks, and emits a tamper-evident log that provides transparency to applications and auditors. We analyze Rebound's security properties and show through an application case study -- with software deployment workflows in GitLab CI -- that it enables robust control over binary, configuration, and raw data versioning with low end-to-end overhead.
翻译:摘要:重放攻击和回滚攻击通过不可信存储接口重新引入真实但过时的数据,会破坏云应用的决策完整性。现有安全框架通过硬件支持机制强制执行仅前进状态转换(状态连续性)来缓解此类攻击,但这类框架将所有回滚归类为恶意行为,从而排除了用于从数据损坏或配置错误中恢复操作的合法回滚。我们提出Rebound——一个通用型安全框架,在保留回滚防护能力的同时,支持经策略授权的二进制文件、配置和数据合法回滚。Rebound的核心是一个引用监视器,它调解状态转换、执行授权策略、保证状态更新与回滚的原子性,并生成防篡改日志为应用和审计人员提供透明度。我们分析了Rebound的安全属性,并通过GitLab CI中的软件部署工作流的应用案例研究表明,该框架能以低端到端开销实现对二进制文件、配置及原始数据版本控制的强健管理。