This paper presents the design, implementation, and evaluation of Pasture, a secure messaging and logginglibrary that enables secure offline data access on untrusted user devices by leveraging commodity trusted hardware. Pasture does not trust the application, OS, or hypervisor and even admits hardware snooping attacks, while providing two important safety properties: access-undeniability (a user cannot deny any offline data access obtained by his device without failing an audit) and verifiable-revocation (a user who generates a verifiable proof of revocation of unaccessed data can never access that data in the future).
For practical viability, Pasture moves costly trusted hardware operations from common data access actions to uncommon recovery and checkpoint actions. We used Pasture to augment three applications with secure data offline access to provide high availability, rich functionality, and improved consistency. Our evaluation suggests that Pasture overheads are acceptable for these applications.