部分故障期间的安全漏洞——分布式系统的设计笔记

TL;DR: Many security mechanisms fail not during attacks, but during partial outages. This post documents early design notes for a failure-aware security framework for distributed systems.<p>The problem<p>In production distributed systems, security often breaks when things are half working:<p>auth services degrade → retries explode<p>fallback paths widen access<p>recovery logic becomes the attack surface<p>Nothing is “exploited”, yet the system becomes unsafe.<p>Most security models assume stable components and clean failures. Real systems don’t behave that way.<p>Design assumptions<p>We assume:<p>correlated failures<p>retries are adversarial<p>timeouts are unsafe defaults<p>recovery paths matter as much as steady-state logic<p>We don’t assume:<p>global consistency<p>perfect identity<p>reliable clocks<p>centralized enforcement<p>Framework ideas (high level)<p>This work explores four ideas:<p>1. Failure-aware trust<p>Trust degrades under failure, not just compromise<p>Access narrows automatically during partial outages<p>2. Security invariants at runtime<p>Invariants are continuously enforced<p>Violations trigger containment, not alerts<p>3. Retry-safe security primitives<p>Idempotent, monotonic, side-effect bounded<p>Retries can’t escalate privilege<p>4. Security as observable state<p>Trust level, degradation, and containment are visible<p>If you can’t observe it, you can’t secure it<p>What this is not<p>Not zero trust marketing<p>Not compliance<p>Not a finished system<p>It’s an attempt to treat failure as the normal case, not an exception.<p>Why publish this early?<p>Because many real failures:<p>don’t fit clean research papers<p>happen during incidents, not attacks<p>are invisible outside production systems<p>We’re sharing design notes to get feedback before formalizing or evaluating further.<p>Feedback welcome<p>If you’ve seen security regressions during outages or retries causing unsafe behavior, I’d like to hear about it.<p>This is ongoing work. No claims of novelty or completeness.