Modern VM-based trusted execution environments (TEEs) remain vulnerable to disk rollback attacks—persistent storage can revert to stale states after crashes, violating application consistency. Existing defenses are either narrowly scoped or require invasive application modifications. This paper proposes the first fully automatic, application-transparent rollback protection mechanism, grounded in the principle of disk state consistency recovery. We introduce a novel weak-semantics-aware write-copy-and-recovery strategy, integrated with Linux device-mapper–based kernel-level I/O interception, incremental snapshotting, and multi-threaded weak-ordering write optimization. Evaluated on real-world workloads—including PostgreSQL and HDFS—our approach incurs only 19% average performance overhead (excluding fsync-heavy scenarios), while outperforming the best non-automatic solution by 208× in throughput.

Today, users can"lift-and-shift"unmodified applications into modern, VM-based Trusted Execution Environments (TEEs) in order to gain hardware-based security guarantees. However, TEEs do not protect applications against disk rollback attacks, where persistent storage can be reverted to an earlier state after a crash; existing rollback resistance solutions either only support a subset of applications or require code modification. Our key insight is that restoring disk consistency after a rollback attack guarantees rollback resistance for any application. We present Rollbaccine, a device mapper that provides automatic rollback resistance for all applications by provably preserving disk consistency. Rollbaccine intercepts and replicates writes to disk, restores lost state from backups during recovery, and minimizes overheads by taking advantage of the weak, multi-threaded semantics of disk operations. Across benchmarks over two real applications (PostgreSQL and HDFS) and two file systems (ext4 and xfs), Rollbaccine adds only 19% overhead, except for the fsync-heavy Filebench Varmail. In addition, Rollbaccine outperforms the state-of-the-art, non-automatic rollback resistant solution by $208 imes$.