It's a Feature, Not a Bug: Secure and Auditable State Rollback for Confidential Cloud Applications Article Swipe
Quinn Burke
,
Michael M. Swift
,
Patrick McDaniel
·
YOU?
·
· 2025
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2511.13641
YOU?
·
· 2025
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2511.13641
Replay and rollback attacks threaten cloud application integrity by reintroducing authentic yet stale data through an untrusted storage interface to compromise application decision-making. Prior security frameworks mitigate these attacks by enforcing forward-only state transitions (state continuity) with hardware-backed mechanisms, but they categorically treat all rollback as malicious and thus preclude legitimate rollbacks used for operational recovery from corruption or misconfiguration. We present Rebound, a general-purpose security framework that preserves rollback protection while enabling policy-authorized legitimate rollbacks of application binaries, configuration, and data. Key to Rebound is a reference monitor that mediates state transitions, enforces authorization policy, guarantees atomicity of state updates and rollbacks, and emits a tamper-evident log that provides transparency to applications and auditors. We formally prove Rebound's security properties and show through an application case study -- with software deployment workflows in GitLab CI -- that it enables robust control over binary, configuration, and raw data versioning with low end-to-end overhead.
Related Topics
Concepts
No concepts available.
Metadata
- Type
- preprint
- Landing Page
- http://arxiv.org/abs/2511.13641
- https://arxiv.org/pdf/2511.13641
- OA Status
- green
- OpenAlex ID
- https://openalex.org/W4416364037
All OpenAlex metadata
Raw OpenAlex JSON
- OpenAlex ID
-
https://openalex.org/W4416364037Canonical identifier for this work in OpenAlex
- DOI
-
https://doi.org/10.48550/arxiv.2511.13641Digital Object Identifier
- Title
-
It's a Feature, Not a Bug: Secure and Auditable State Rollback for Confidential Cloud ApplicationsWork title
- Type
-
preprintOpenAlex work type
- Publication year
-
2025Year of publication
- Publication date
-
2025-11-17Full publication date if available
- Authors
-
Quinn Burke, Michael M. Swift, Patrick McDanielList of authors in order
- Landing page
-
https://arxiv.org/abs/2511.13641Publisher landing page
- PDF URL
-
https://arxiv.org/pdf/2511.13641Direct link to full text PDF
- Open access
-
YesWhether a free full text is available
- OA status
-
greenOpen access status per OpenAlex
- OA URL
-
https://arxiv.org/pdf/2511.13641Direct OA link when available
- Cited by
-
0Total citation count in OpenAlex
Full payload
| id | https://openalex.org/W4416364037 |
|---|---|
| doi | https://doi.org/10.48550/arxiv.2511.13641 |
| ids.doi | https://doi.org/10.48550/arxiv.2511.13641 |
| ids.openalex | https://openalex.org/W4416364037 |
| fwci | |
| type | preprint |
| title | It's a Feature, Not a Bug: Secure and Auditable State Rollback for Confidential Cloud Applications |
| biblio.issue | |
| biblio.volume | |
| biblio.last_page | |
| biblio.first_page | |
| is_xpac | False |
| apc_list | |
| apc_paid | |
| language | |
| locations[0].id | pmh:oai:arXiv.org:2511.13641 |
| locations[0].is_oa | True |
| locations[0].source.id | https://openalex.org/S4306400194 |
| locations[0].source.issn | |
| locations[0].source.type | repository |
| locations[0].source.is_oa | True |
| locations[0].source.issn_l | |
| locations[0].source.is_core | False |
| locations[0].source.is_in_doaj | False |
| locations[0].source.display_name | arXiv (Cornell University) |
| locations[0].source.host_organization | https://openalex.org/I205783295 |
| locations[0].source.host_organization_name | Cornell University |
| locations[0].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[0].license | |
| locations[0].pdf_url | https://arxiv.org/pdf/2511.13641 |
| locations[0].version | submittedVersion |
| locations[0].raw_type | text |
| locations[0].license_id | |
| locations[0].is_accepted | False |
| locations[0].is_published | False |
| locations[0].raw_source_name | |
| locations[0].landing_page_url | http://arxiv.org/abs/2511.13641 |
| locations[1].id | doi:10.48550/arxiv.2511.13641 |
| locations[1].is_oa | True |
| locations[1].source.id | https://openalex.org/S4306400194 |
| locations[1].source.issn | |
| locations[1].source.type | repository |
| locations[1].source.is_oa | True |
| locations[1].source.issn_l | |
| locations[1].source.is_core | False |
| locations[1].source.is_in_doaj | False |
| locations[1].source.display_name | arXiv (Cornell University) |
| locations[1].source.host_organization | https://openalex.org/I205783295 |
| locations[1].source.host_organization_name | Cornell University |
| locations[1].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[1].license | |
| locations[1].pdf_url | |
| locations[1].version | |
| locations[1].raw_type | article |
| locations[1].license_id | |
| locations[1].is_accepted | False |
| locations[1].is_published | |
| locations[1].raw_source_name | |
| locations[1].landing_page_url | https://doi.org/10.48550/arxiv.2511.13641 |
| indexed_in | arxiv, datacite |
| authorships[0].author.id | https://openalex.org/A5084426434 |
| authorships[0].author.orcid | https://orcid.org/0000-0002-9217-5128 |
| authorships[0].author.display_name | Quinn Burke |
| authorships[0].author_position | first |
| authorships[0].raw_author_name | Burke, Quinn |
| authorships[0].is_corresponding | False |
| authorships[1].author.id | https://openalex.org/A5072740120 |
| authorships[1].author.orcid | https://orcid.org/0000-0002-7926-648X |
| authorships[1].author.display_name | Michael M. Swift |
| authorships[1].author_position | last |
| authorships[1].raw_author_name | Swift, Michael |
| authorships[1].is_corresponding | False |
| authorships[2].author.id | https://openalex.org/A5055368149 |
| authorships[2].author.orcid | https://orcid.org/0000-0003-2091-7484 |
| authorships[2].author.display_name | Patrick McDaniel |
| authorships[2].author_position | middle |
| authorships[2].raw_author_name | McDaniel, Patrick |
| authorships[2].is_corresponding | False |
| has_content.pdf | False |
| has_content.grobid_xml | False |
| is_paratext | False |
| open_access.is_oa | True |
| open_access.oa_url | https://arxiv.org/pdf/2511.13641 |
| open_access.oa_status | green |
| open_access.any_repository_has_fulltext | False |
| created_date | 2025-11-19T00:00:00 |
| display_name | It's a Feature, Not a Bug: Secure and Auditable State Rollback for Confidential Cloud Applications |
| has_fulltext | False |
| is_retracted | False |
| updated_date | 2025-11-28T12:11:47.103959 |
| primary_topic | |
| cited_by_count | 0 |
| locations_count | 2 |
| best_oa_location.id | pmh:oai:arXiv.org:2511.13641 |
| best_oa_location.is_oa | True |
| best_oa_location.source.id | https://openalex.org/S4306400194 |
| best_oa_location.source.issn | |
| best_oa_location.source.type | repository |
| best_oa_location.source.is_oa | True |
| best_oa_location.source.issn_l | |
| best_oa_location.source.is_core | False |
| best_oa_location.source.is_in_doaj | False |
| best_oa_location.source.display_name | arXiv (Cornell University) |
| best_oa_location.source.host_organization | https://openalex.org/I205783295 |
| best_oa_location.source.host_organization_name | Cornell University |
| best_oa_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| best_oa_location.license | |
| best_oa_location.pdf_url | https://arxiv.org/pdf/2511.13641 |
| best_oa_location.version | submittedVersion |
| best_oa_location.raw_type | text |
| best_oa_location.license_id | |
| best_oa_location.is_accepted | False |
| best_oa_location.is_published | False |
| best_oa_location.raw_source_name | |
| best_oa_location.landing_page_url | http://arxiv.org/abs/2511.13641 |
| primary_location.id | pmh:oai:arXiv.org:2511.13641 |
| primary_location.is_oa | True |
| primary_location.source.id | https://openalex.org/S4306400194 |
| primary_location.source.issn | |
| primary_location.source.type | repository |
| primary_location.source.is_oa | True |
| primary_location.source.issn_l | |
| primary_location.source.is_core | False |
| primary_location.source.is_in_doaj | False |
| primary_location.source.display_name | arXiv (Cornell University) |
| primary_location.source.host_organization | https://openalex.org/I205783295 |
| primary_location.source.host_organization_name | Cornell University |
| primary_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| primary_location.license | |
| primary_location.pdf_url | https://arxiv.org/pdf/2511.13641 |
| primary_location.version | submittedVersion |
| primary_location.raw_type | text |
| primary_location.license_id | |
| primary_location.is_accepted | False |
| primary_location.is_published | False |
| primary_location.raw_source_name | |
| primary_location.landing_page_url | http://arxiv.org/abs/2511.13641 |
| publication_date | 2025-11-17 |
| publication_year | 2025 |
| referenced_works_count | 0 |
| abstract_inverted_index.a | 63, 86, 105 |
| abstract_inverted_index.-- | 128, 136 |
| abstract_inverted_index.CI | 135 |
| abstract_inverted_index.We | 60, 115 |
| abstract_inverted_index.an | 15, 124 |
| abstract_inverted_index.as | 45 |
| abstract_inverted_index.by | 8, 29 |
| abstract_inverted_index.in | 133 |
| abstract_inverted_index.is | 85 |
| abstract_inverted_index.it | 138 |
| abstract_inverted_index.of | 76, 98 |
| abstract_inverted_index.or | 58 |
| abstract_inverted_index.to | 19, 83, 111 |
| abstract_inverted_index.Key | 82 |
| abstract_inverted_index.all | 43 |
| abstract_inverted_index.and | 1, 47, 80, 101, 103, 113, 121, 145 |
| abstract_inverted_index.but | 39 |
| abstract_inverted_index.for | 53 |
| abstract_inverted_index.log | 107 |
| abstract_inverted_index.low | 150 |
| abstract_inverted_index.raw | 146 |
| abstract_inverted_index.yet | 11 |
| abstract_inverted_index.case | 126 |
| abstract_inverted_index.data | 13, 147 |
| abstract_inverted_index.from | 56 |
| abstract_inverted_index.over | 142 |
| abstract_inverted_index.show | 122 |
| abstract_inverted_index.that | 67, 89, 108, 137 |
| abstract_inverted_index.they | 40 |
| abstract_inverted_index.thus | 48 |
| abstract_inverted_index.used | 52 |
| abstract_inverted_index.with | 36, 129, 149 |
| abstract_inverted_index.Prior | 23 |
| abstract_inverted_index.cloud | 5 |
| abstract_inverted_index.data. | 81 |
| abstract_inverted_index.emits | 104 |
| abstract_inverted_index.prove | 117 |
| abstract_inverted_index.stale | 12 |
| abstract_inverted_index.state | 32, 91, 99 |
| abstract_inverted_index.study | 127 |
| abstract_inverted_index.these | 27 |
| abstract_inverted_index.treat | 42 |
| abstract_inverted_index.while | 71 |
| abstract_inverted_index.(state | 34 |
| abstract_inverted_index.GitLab | 134 |
| abstract_inverted_index.Replay | 0 |
| abstract_inverted_index.robust | 140 |
| abstract_inverted_index.Rebound | 84 |
| abstract_inverted_index.attacks | 3, 28 |
| abstract_inverted_index.binary, | 143 |
| abstract_inverted_index.control | 141 |
| abstract_inverted_index.enables | 139 |
| abstract_inverted_index.monitor | 88 |
| abstract_inverted_index.policy, | 95 |
| abstract_inverted_index.present | 61 |
| abstract_inverted_index.storage | 17 |
| abstract_inverted_index.through | 14, 123 |
| abstract_inverted_index.updates | 100 |
| abstract_inverted_index.Rebound, | 62 |
| abstract_inverted_index.enabling | 72 |
| abstract_inverted_index.enforces | 93 |
| abstract_inverted_index.formally | 116 |
| abstract_inverted_index.mediates | 90 |
| abstract_inverted_index.mitigate | 26 |
| abstract_inverted_index.preclude | 49 |
| abstract_inverted_index.provides | 109 |
| abstract_inverted_index.recovery | 55 |
| abstract_inverted_index.rollback | 2, 44, 69 |
| abstract_inverted_index.security | 24, 65, 119 |
| abstract_inverted_index.software | 130 |
| abstract_inverted_index.threaten | 4 |
| abstract_inverted_index.Rebound's | 118 |
| abstract_inverted_index.atomicity | 97 |
| abstract_inverted_index.auditors. | 114 |
| abstract_inverted_index.authentic | 10 |
| abstract_inverted_index.binaries, | 78 |
| abstract_inverted_index.enforcing | 30 |
| abstract_inverted_index.framework | 66 |
| abstract_inverted_index.integrity | 7 |
| abstract_inverted_index.interface | 18 |
| abstract_inverted_index.malicious | 46 |
| abstract_inverted_index.overhead. | 152 |
| abstract_inverted_index.preserves | 68 |
| abstract_inverted_index.reference | 87 |
| abstract_inverted_index.rollbacks | 51, 75 |
| abstract_inverted_index.untrusted | 16 |
| abstract_inverted_index.workflows | 132 |
| abstract_inverted_index.compromise | 20 |
| abstract_inverted_index.corruption | 57 |
| abstract_inverted_index.deployment | 131 |
| abstract_inverted_index.end-to-end | 151 |
| abstract_inverted_index.frameworks | 25 |
| abstract_inverted_index.guarantees | 96 |
| abstract_inverted_index.legitimate | 50, 74 |
| abstract_inverted_index.properties | 120 |
| abstract_inverted_index.protection | 70 |
| abstract_inverted_index.rollbacks, | 102 |
| abstract_inverted_index.versioning | 148 |
| abstract_inverted_index.application | 6, 21, 77, 125 |
| abstract_inverted_index.continuity) | 35 |
| abstract_inverted_index.mechanisms, | 38 |
| abstract_inverted_index.operational | 54 |
| abstract_inverted_index.transitions | 33 |
| abstract_inverted_index.applications | 112 |
| abstract_inverted_index.forward-only | 31 |
| abstract_inverted_index.transitions, | 92 |
| abstract_inverted_index.transparency | 110 |
| abstract_inverted_index.authorization | 94 |
| abstract_inverted_index.categorically | 41 |
| abstract_inverted_index.reintroducing | 9 |
| abstract_inverted_index.configuration, | 79, 144 |
| abstract_inverted_index.tamper-evident | 106 |
| abstract_inverted_index.general-purpose | 64 |
| abstract_inverted_index.hardware-backed | 37 |
| abstract_inverted_index.decision-making. | 22 |
| abstract_inverted_index.misconfiguration. | 59 |
| abstract_inverted_index.policy-authorized | 73 |
| cited_by_percentile_year | |
| countries_distinct_count | 0 |
| institutions_distinct_count | 3 |
| citation_normalized_percentile |