Trusted Execution Environments (TEEs) such as SGX and TrustZone retain non-volatile state across power cycles, rendering them vulnerable to covert rollback attacks that compromise Byzantine fault-tolerant (BFT) system recovery. Method: We propose a rollback-resilient reliable read-write register construction. First, we introduce a unified fault model capturing crash, Byzantine, and rollback faults in TEEs. Second, we derive tight bounds on register fault tolerance for both static and dynamic settings, proving that (n geq 3f + 1) is necessary and sufficient for static fault tolerance. Third, we design a dynamic state reconstruction algorithm that requires no trusted monotonic counter, enabling the first provably correct emulation of reliable registers in TEEs. Contribution/Results: Our work provides formal correctness guarantees and practical building blocks for fault-tolerant systems operating under real-world hardware constraints—specifically, those imposed by TEEs’ non-volatile storage semantics and rollback vulnerabilities.

Recent advances in secure hardware technologies, such as Intel SGX or ARM TrustZone, offer an opportunity to substantially reduce the costs of Byzantine fault-tolerance by placing the program code and state within a secure enclave known as a Trusted Execution Environment (TEE). However, the protection offered by a TEE only applies during program execution. Once power is switched off, the non-volatile portion of the program state becomes vulnerable to rollback attacks wherein it is undetectably reverted to an older version. In this paper, we consider a problem of implementing reliable read/write registers out of failure-prone replicas subject to state rollbacks. To this end, we introduce a new unified model that captures the multiple failure types that can affect a TEE-based system. We then establish tight bounds on the fault-tolerance of register constructions in this model for both the static case, where failure thresholds hold throughout the entire execution, and the dynamic case, where they only hold eventually. Our dynamic register emulation algorithm resolves a long-standing question of how to correctly rebuild replica state upon restart without relying on additional hardware assumptions such as trusted monotonic counters.