{ "version": "https://jsonfeed.org/version/1", "title": "Mayckon Giovani", "home_page_url": "https://mayckongiovani.xyz/pensieve/", "description": "Principal Systems Engineer specializing in post-quantum cryptography, distributed systems, and security-critical infrastructure.", "author": { "name": "Mayckon Giovani" }, "items": [ { "id": "https://mayckongiovani.xyz/pensieve/2026-04-stateful-signatures-xmss-lms-without-index-reuse", "content_html": "
\n

Paper/spec-driven systems note. Theme: PQC that fails because of systems engineering, not math.

\n
\n

TL;DR

\n

Stateful hash-based signatures (XMSS, LMS/HSS) are attractive in post-quantum migrations because their security rests on hash functions and conservative assumptions. But they hide a non-negotiable constraint: each one-time signing key must be used at most once. In practice that means: your signature scheme is only as strong as your crash-consistency and concurrency control. If you cannot guarantee “no index reuse” under retries, rollbacks, snapshots, and partial deployment, you are not deploying PQC — you are deploying a latent signing-key compromise.

\n
\n
Key insight
\n

For XMSS/LMS, correctness is an invariant on durable state. The cryptography is only the leaf function; the security boundary is the state machine that allocates and commits leaf indices.

\n
\n

Key takeaways

\n\n

Introduction (pragmatic abstract: why you should care today)

\n

The supply-chain incident is not “someone broke SHA-256”. It’s usually one of:

\n\n

In PQC migration programs, stateful hash-based signatures are often proposed for the conservative path: they are standardized, their assumptions are narrow, and they are plausible even under aggressive quantum timelines. (1) (2) (3)

\n

But stateful signatures demand that you treat the signing key as a protocol state.

\n

If you are signing firmware for IIoT devices, you’re signing into an adversarial lifecycle: devices get cloned, images get restored, regional partitions happen, and “just retry” becomes policy. That is exactly the environment where index reuse happens unless you engineer against it.

\n

I’m writing this the way I operate in Chile: fewer slogans, more invariants. If the system can’t fail, you don’t “enable PQC” — you prove that your allocator cannot reuse a leaf index under the failure model you actually have.

\n

Key questions

\n\n

Assumptions

\n

I’ll be explicit because “implicit assumptions” become production incidents.

\n\n

Non-goals

\n\n

Security properties

\n

This is what “secure deployment” means in operational terms.

\n

P1 — Unforgeability (EUF-CMA, in the intended threat model)

\n

An attacker who sees signatures σ1,,σq\\sigma_1,\\dots,\\sigma_qσ1,,σq for chosen messages should not be able to produce a valid signature σ\\sigma^{*}σ for a new message mm^{*}m with non-negligible probability.

\n

P2 — No index reuse (deployment invariant)

\n

For each keypair and each leaf index iii, at most one signature is ever produced using the one-time key at iii.

\n

In words: the key is stateful. If you cannot enforce P2, P1 is not a meaningful claim.

\n
\n
Invariant
\n

NoReuse: For a given signing key kid, every leaf index i is used at most once, across all replicas, across all time, including after crash recovery and restores.

\n
\n

P3 — Rollback resistance (or rollback detection)

\n

You must prevent or detect state rollback that could cause index reuse. “Detect” is acceptable only if your response is “treat as compromise; rotate; revoke”.

\n

Failure modes

\n

These are the places where teams get hurt: not on paper, but in production.

\n\n
\n
Pitfall
\n

“We store the counter in Postgres” is not a design. The question is: what isolation level, what recovery semantics, what rollback story, what evidence?

\n
\n

What to monitor

\n

Operability is part of correctness for stateful signatures: you need signals that correspond to proof obligations.

\n\n

The Mathematical Anatomy of the Problem

\n

Stateful signatures are not hard because Merkle trees are hard. They are hard because one-time signatures are not “one-time-ish”.

\n

I’ll use the XMSS/LMS family (Merkle tree over OTS keys) because that’s the shared shape. (1) (2)

\n

Merkle signatures in one page

\n

You have:

\n\n

A signature on message mmm at index iii contains:

\n
    \n
  1. an OTS signature σi\\sigma_iσi proving knowledge of ski\\mathrm{sk}_iski for message mmm,
    2. \n
  2. an authentication path πi\\pi_iπi proving that pki\\mathrm{pk}_ipki is in the tree under root\\mathrm{root}root.
    3. \n
\n

Verification is:

\n
Verify(root,m,i,σi,πi)=VerifyOTS(pki,m,σi)VerifyMerkle(root,pki,i,πi).\\mathrm{Verify}(\\mathrm{root}, m, i, \\sigma_i, \\pi_i) =\n\\mathrm{VerifyOTS}(\\mathrm{pk}_i, m, \\sigma_i) \\wedge\n\\mathrm{VerifyMerkle}(\\mathrm{root}, \\mathrm{pk}_i, i, \\pi_i).Verify(root,m,i,σi,πi)=VerifyOTS(pki,m,σi)VerifyMerkle(root,pki,i,πi).
\n

The only secret that changes across signatures is the choice of leaf index.

\n

Why “one-time” is an invariant, not a suggestion

\n

In WOTS+/LM-OTS-style constructions, the signature leaks structured information about the secret key. The security proof assumes you leak that structure once. Twice is a different game.

\n

Here’s the minimal intuition using a Winternitz-like chain view (XMSS uses WOTS+): (1)

\n

Let FFF be a one-way function (modeled as a hash). For each chain position j{1,,}j \\in \\{1,\\dots,\\ell\\}j{1,,}:

\n\n

For a message mmm, you compute a base-www representation that yields digits aj(m){0,,w}a_j(m) \\in \\{0,\\dots,w\\}aj(m){0,,w}.

\n

The signature reveals:

\n
sj=Faj(m)(xj).s_j = F^{a_j(m)}(x_j).sj=Faj(m)(xj).
\n

If the same one-time key is used twice for messages m1,m2m_1, m_2m1,m2, the attacker learns:

\n
Faj(m1)(xj),Faj(m2)(xj).F^{a_j(m_1)}(x_j),\\quad F^{a_j(m_2)}(x_j).Faj(m1)(xj),Faj(m2)(xj).
\n

Since hashing forward is easy, the attacker can compute:

\n
Fmax(aj(m1),aj(m2))(xj)F^{\\max(a_j(m_1), a_j(m_2))}(x_j)Fmax(aj(m1),aj(m2))(xj)
\n

for every chain jjj by hashing forward from the smaller revealed value to the larger. With enough reuse and chosen messages, this becomes a practical forging path.

\n

You do not need to memorize the exact attack to engineer correctly. You need to internalize the operational conclusion:

\n
\n
Rule of thumb
\n

For XMSS/LMS, a single index reuse is a “stop the world” event. Rotate keys, revoke certificates, and treat all artifacts since the last known-good index as suspect.

\n
\n

The invariant as a formal predicate

\n

Model the signer as a state machine with durable state:

\n\n

The deployment invariant is:

\n
NoReusei.  iusedi<next        used is monotone.\\mathrm{NoReuse} \\equiv \\forall i.\\; i \\in \\mathrm{used} \\Rightarrow i < \\mathrm{next}\\;\\;\\wedge\\;\\;\n\\mathrm{used}\\ \\text{is monotone}.NoReusei.iusedi<nextused is monotone.
\n

In TLA+-style pseudocode:

\n
VARIABLES next, used\n\nInit ==\n  /\\ next = 0\n  /\\ used = {}\n\nReserve ==\n  /\\ LET i == next IN\n     /\\ next' = next + 1\n     /\\ used' = used \\cup {i}\n\nInv_NoReuse ==\n  /\\ used \\subseteq 0..(next-1)\n  /\\ used' \\supseteq used
\n

This looks trivial until you map it onto real failures:

\n\n

That is where systems engineering starts.

\n

From Proofs to Binaries: The Implementation Challenge

\n

Formal models talk about “steps”. Your deployment talks about:

\n\n

1) Concurrency: allocation must be linearizable

\n

If you have more than one signing worker, you need a single source of truth for next.

\n

Correct solutions:

\n\n

Incorrect solutions (common in the wild):

\n\n
\n
Attack surface
\n

Index reuse is not only a bug. It is an adversary primitive: force retries + partitions + restores until your allocator violates linearizability.

\n
\n

2) Crash consistency: durability must happen before you return success

\n

The hardest bug is:

\n
    \n
  1. signer produces signature σ\\sigmaσ for index iii,
    2. \n
  2. process crashes before persisting “i was used”,
    3. \n
  3. on restart, the signer reuses iii.
    4. \n
\n

The safe pattern is intentionally boring:

\n\n

Burning indices reduces capacity. Reusing an index destroys security.

\n

3) Rollback attacks: snapshots are an adversary tool

\n

If your signing state lives on disk and you restore an old snapshot, your counter goes backwards. That is equivalent to index reuse.

\n

Mitigations, in increasing order of strength:

\n\n

4) Refinement mapping: keep the spec-to-code bridge explicit

\n

The formal model’s state is (next, used). The implementation’s state becomes:

\n\n

Write the refinement mapping down:

\n\n

If you can’t express that mapping, you can’t convincingly argue you implemented the invariant.

\n

Implementation sketch (Rust)

\n

Treat index allocation as an interface with explicit failure semantics:

\n
index_allocator.rs
\n
pub struct Reservation {\n    pub key_id: String,\n    pub start: u64,\n    pub len: u32,\n    pub epoch: u64, // fencing token\n}\n\npub trait IndexAllocator {\n    fn reserve(&self, key_id: &str, len: u32) -> Result<Reservation, AllocError>;\n    fn commit_receipt(&self, receipt: Receipt) -> Result<(), AllocError>;\n}
\n

The invariants the implementation must preserve are not “Rust safety” invariants. They are protocol invariants:

\n
{ Linearizable(next) * DurableLog(kid) }\nreserve(kid, len)\n{ Disjoint(reservation, prior) ∧ Monotone(next) }
\n

If you cannot test linearizability under adversarial schedules, you are guessing. Use deterministic concurrency testing where possible (e.g., Loom for the local state machine) and fault-injection for the allocator boundary.

\n

Rollback plan

\n

This is incident response, not wishful thinking. If you don’t rehearse it, you don’t have it.

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Huelsing A, Butin D, Gazdag S, Rijneveld J, Mohaisen A. XMSS: eXtended Merkle Signature Scheme [Internet]. RFC Editor; 2018. Report No.: 8391. Available from: https://www.rfc-editor.org/rfc/rfc8391
\n
\n
\n
2.
McGrew D, Curcio M, Fluhrer S. Leighton-Micali Hash-Based Signatures [Internet]. RFC Editor; 2019. Report No.: 8554. Available from: https://www.rfc-editor.org/rfc/rfc8554
\n
\n
\n
3.
Cooper DA, Apon DC, Dang QH, Davidson MS, Dworkin MJ, Miller CA. Recommendation for Stateful Hash-Based Signature Schemes [Internet]. 2020. Report No.: 800–208. Available from: https://csrc.nist.gov/pubs/sp/800/208/final
\n
\n
\n
4.
Ongaro D, Ousterhout J. In Search of an Understandable Consensus Algorithm (Raft). In: 2014 USENIX Annual Technical Conference (USENIX ATC 14) [Internet]. 2014. Available from: https://raft.github.io/raft.pdf
\n
\n
\n
5.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
6.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2026-04-stateful-signatures-xmss-lms-without-index-reuse", "title": "Stateful Signatures Are a Distributed Systems Problem: XMSS/LMS Without Index Reuse", "summary": "Deep dive (April 2026): stateful hash-based signatures look like “just PQC”, but one index reuse is a catastrophic key-management failure. Model the invariant, then build the allocator like a consensus component.", "date_modified": "2026-04-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security-critical-infrastructure", "devsecops", "iiot-platforms", "distributed-systems", "formal-methods" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2026-03-hotstuff-termination-uc-delay-attacks", "content_html": "
\n

Paper-driven research note. Theme: Termination proofs for industrial BFT.

\n
\n

TL;DR

\n

In critical infrastructure, “consensus safety” is table stakes. The incident is almost never “two conflicting commits”; the incident is the protocol that stops making progress while operators stare at dashboards and timeouts that look “reasonable” on paper. This post dissects a recent UC-flavored termination proof for HotStuff and turns it into engineering constraints you can actually ship — in Rust, under adversarial latency, with cryptography whose parameters are not free.

\n
\n
Key insight
\n

Termination is an interface contract. If you cannot bound “time-to-finality under attack” as a function of network + compute, you do not have a reliable protocol — you have a hope with a quorum.

\n
\n

Key takeaways

\n\n

Introduction (Pragmatic abstract: why you should care today)

\n

It’s 03:17 in Santiago. A consortium chain is “healthy” in the sense that nodes are alive, disks are fine, and TLS handshakes still work. But finality stalls. The pager doesn’t ask whether the protocol is Byzantine-safe. It asks a simpler question:

\n
\n

“Can you commit within a bounded time under adversarial latency?”

\n
\n

This is not academic. Any system that uses BFT consensus as an availability primitive — identity registries, payment rails, device authorization, industrial telemetry notarization — eventually meets the same failure mode: network delay attacks and correlated jitter that keep honest replicas oscillating in view changes.

\n

The paper I’m using as the anchor is:

\n\n

Their claim is specific and valuable: build a UC-style formal system for HotStuff in a partially synchronous network and prove termination (progress) even under delay attacks using phased time analysis and exponential backoff. This matters because HotStuff has become the default “industrial BFT shape” precisely due to its linear view change and pipelining. (2)

\n

But “valuable” is not “sufficient”. We need to translate the proof into constraints that survive:

\n\n
\n
Attack surface
\n

Delay attacks don’t need to break signatures. They break coordination: by keeping timeouts too small and views too unstable, they turn “safety” into “permanent limbo”.

\n
\n

Assumptions

\n

I’m explicit here because “unstated assumptions” are where correctness dies in production.

\n\n

Non-goals

\n\n

Security properties

\n

I separate “consensus safety” from “termination” because conflating them is how teams ship protocol code that passes tests and fails reality.

\n

Safety (agreement / consistency)

\n

Informally: no two honest replicas commit conflicting blocks.

\n

Formally, for committed blocks bbb and bb'b at the same height:

\n
(Committed(b)Committed(b)bbbb)\\Box\\Big(\\mathrm{Committed}(b)\\wedge \\mathrm{Committed}(b') \\Rightarrow b \\preceq b' \\vee b' \\preceq b\\Big)(Committed(b)Committed(b)bbbb)
\n

where \\preceq is the ancestor relation in the block tree (chain prefix).

\n

Liveness / termination

\n

We want: after GST, honest replicas commit within bounded time.

\n

In a partial synchrony model, the best you can do is: there exists a bound T(Δ,compute,f,n)T(\\Delta, \\text{compute}, f, n)T(Δ,compute,f,n) such that:

\n
T  Committed()\\Diamond_{\\le T}\\;\\mathrm{Committed}(\\cdot)TCommitted()
\n

In UC terms: you define an ideal functionality that “decides” (terminates) and then prove the real protocol UC-realizes it, meaning no environment can distinguish real execution from ideal execution (up to negligible probability) while preserving the termination guarantee. (4) (1)

\n

Failure modes

\n

If you’ve operated these systems, none of these are hypothetical.

\n\n
\n
Pitfall
\n

If you tune timeouts using “median RTT”, you are tuning for the world where nobody is trying to break you. The liveness proof needs worst-case envelopes after GST.

\n
\n

What to monitor

\n

If you can’t observe the proof obligations, you can’t operate the system.

\n\n

Rollback plan

\n

If termination is part of your SLO, rollback is part of the protocol story.

\n\n
\n
Operational note
\n

Carry liveness parameters as signed config artifacts. When the chain stalls, you need evidence of what timeout schedule each node is actually running.

\n
\n

The Mathematical Anatomy of the Problem

\n

HotStuff’s safety intuition is familiar: vote only for safe extensions of what you know; commit when you have a certified chain. The subtlety is termination: after GST, you need the protocol to stop spinning.

\n

To talk precisely, we need a minimal state model.

\n

State and events

\n

Let:

\n\n

Events:

\n\n

In TLA+ style, the transition system is:

\n
VARIABLES view, highQC, lockedQC, blocks, decided, timeout\n\nInit ==\n  /\\ view = 0\n  /\\ decided = FALSE\n  /\\ highQC = GenesisQC\n  /\\ lockedQC = GenesisQC\n  /\\ blocks = {Genesis}\n  /\\ timeout = T0\n\nNext ==\n  \\/ ProposeStep\n  \\/ VoteStep\n  \\/ QCStep\n  \\/ CommitStep\n  \\/ TimeoutStep\n  \\/ NewViewStep
\n

This is intentionally incomplete — the point is to isolate the core proof obligations.

\n

The invariant that actually matters: monotone lock discipline

\n

HotStuff safety is usually explained via “3-chain commit” (a block is committed when it has a chain of descendants with QCs). But safety is enforced by a more operational invariant: honest replicas do not vote in ways that can later create conflicting commits.

\n

One useful invariant (informal but precise enough to mechanize) is:

\n
\n

Lock invariant: An honest replica votes only for blocks that extend its lockedQC (or a QC with view ≥ the lock), and lockedQC.view is monotone non-decreasing.

\n
\n

Formally:

\n
InvlockrH:    lockedQCr.viewhighQCr.view    (lockedQCr.viewlockedQCr.view)\\mathrm{Inv}_{lock} \\equiv \\forall r\\in H:\\;\\; \\mathrm{lockedQC}_r.view \\le \\mathrm{highQC}_r.view\n\\;\\wedge\\;\n\\Box\\big(\\mathrm{lockedQC}'_r.view \\ge \\mathrm{lockedQC}_r.view\\big)InvlockrH:lockedQCr.viewhighQCr.view(lockedQCr.viewlockedQCr.view)
\n

and vote safety:

\n
(Voter(b)Extends(b,lockedQCr)  b.qc.viewlockedQCr.view)\\Box\\Big(\\mathrm{Vote}_r(b)\\Rightarrow \\mathrm{Extends}(b,\\mathrm{lockedQC}_r)\\ \\vee\\ b.qc.view \\ge \\mathrm{lockedQC}_r.view\\Big)(Voter(b)Extends(b,lockedQCr)  b.qc.viewlockedQCr.view)
\n

where Extends(b, qc) means b is in the subtree rooted at the block certified by qc.

\n
\n
Invariant
\n

Monotone locks + safe-vote rule are the core safety rail. Everything else (pipelining, leader rotation) has to respect this or the proof collapses.

\n
\n

Termination: why delay attacks break naive liveness

\n

Under partial synchrony, termination proofs typically take this shape:

\n
    \n
  1. After GST, message delay ≤ Δ\\DeltaΔ.
    2. \n
  2. If the protocol ever enters a “stable” view whose timeout ≥ kΔk\\DeltakΔ (for some constant kkk), the leader can complete a round: propose → collect votes → form QC → advance.
    3. \n
  3. Therefore, show that the protocol will eventually reach such a stable view.
    4. \n
\n

Delay attacks break step (3) by ensuring timeouts stay too small: replicas time out before QCs propagate, triggering perpetual view changes.

\n

The paper’s core move is to treat timeout selection not as configuration but as a proof object: a phased time analysis with exponential backoff so that, after enough failed phases, some honest views have timeout large enough to dominate Δ\\DeltaΔ and finish. (1)

\n

A backoff lemma (the engineering version)

\n

Assume the local timeout evolves as:

\n
Ti+1=2Tion view-change due to timeout.T_{i+1} = 2T_i \\quad\\text{on view-change due to timeout.}Ti+1=2Tion view-change due to timeout.
\n

Let kkk be the first phase where TkcΔT_k \\ge c\\DeltaTkcΔ (for a constant ccc that hides protocol steps and crypto verification latency). Then:

\n
k=log2cΔT0k = \\left\\lceil \\log_2 \\frac{c\\Delta}{T_0} \\right\\rceilk=log2T0cΔ
\n

and the total time spent until entering that phase is bounded by the geometric series:

\n
i=0kTi2Tk2cΔ.\\sum_{i=0}^{k} T_i \\le 2T_k \\le 2c\\Delta.i=0kTi2Tk2cΔ.
\n

This is the skeleton behind “bounded termination under delay attacks”: backoff converts unknown Δ\\DeltaΔ into a bounded search cost.

\n

The uncomfortable part is hidden in ccc: in real code, ccc is not “3” — it includes:

\n\n

If your implementation inflates ccc, your termination bound inflates even if the proof is correct.

\n

UC angle: refinement mapping, not just an invariant

\n

UC proofs are not “prove an invariant and you’re done”. You define an ideal functionality F\\mathcal{F}F that captures the desired behavior, then show the real protocol Π\\PiΠ emulates it in any environment.

\n

The useful mental model for engineers is a refinement mapping:

\n
ρ:SΠSF\\rho : S_{\\Pi} \\to S_{\\mathcal{F}}ρ:SΠSF
\n

mapping concrete protocol state (blocks, QCs, views, transcripts) into an abstract state (decided value, delivered-to-who).

\n

An engineer-friendly mapping for HotStuff is:

\n\n

Then you prove:

\n
    \n
  1. Safety refinement: concrete commits map to a single decided value in F\\mathcal{F}F.
    2. \n
  2. Liveness refinement: if F\\mathcal{F}F terminates within bound TTT, so does Π\\PiΠ (under assumptions).
    3. \n
\n

The paper frames this through UC indistinguishability; the refinement mapping is the bridge engineers can actually use to align spec ↔ code. (4) (1)

\n
RefinementSafety ==\n  /\\ decided => \\E v : Ideal.decidedValue = Payload(CommittedBlock)\n\nRefinementLiveness ==\n  /\\ AfterGST => <>_<=T decided
\n

No, this is not a complete proof. It is the scaffold you need before you drown in details.

\n

From Proofs to Binaries: The Implementation Challenge

\n

Formal models talk about messages, not memory. They talk about “steps”, not cache misses. They talk about “timeouts”, not tokio::time::sleep() under load.

\n

This is where high-assurance work lives: the gap.

\n

1) Concurrency and determinism: don’t let the runtime invent new behaviors

\n

If your replica is implemented as a set of concurrent tasks (network IO, timer, consensus state machine), your correctness story depends on how events interleave.

\n

In Rust, “memory safe” is not “protocol correct”. You need an explicit concurrency model:

\n\n

In separation logic terms, you want to preserve ownership and invariants across event handlers:

\n
{ Tree(blocks) * LockState(highQC, lockedQC) * Timer(view, timeout) }\nhandle(event)\n{ Tree(blocks') * LockState(highQC', lockedQC') * Timer(view', timeout')  ∧ Inv_lock }
\n

The practical trick: make the protocol state single-owner. Use channels to serialize transitions; treat networking and timers as producers of events, not mutators of state.

\n

2) “Δ\\DeltaΔ includes crypto”: post-quantum parameters move your liveness bound

\n

HotStuff deployments often rely on threshold signatures (e.g., BLS) to compress votes/QCs. In UC proofs, signatures are ideal: verification is a constant-time oracle.

\n

In reality:

\n\n

This is not a side note. It changes the effective Δ\\DeltaΔ and the constant ccc in your termination bound.

\n

Rule of thumb: treat “crypto verification latency p99” as part of your synchrony envelope.

\n
\n
Rule of thumb
\n

For liveness, set timeouts against p99(network + queue + crypto verify), not p50 RTT. Then prove that backoff reaches that envelope after GST.

\n
\n

If you plan to swap classical primitives for post-quantum candidates (e.g., Dilithium/Falcon in signatures, Kyber in key exchange), your operational question becomes:

\n
\n

“Do we still terminate under the same fault and delay assumptions once signature verification dominates the critical path?”

\n
\n

The proof can survive if you re-parameterize ccc — but your SLO might not.

\n

3) Memory pressure and bounded state: liveness dies when you OOM

\n

Formal consensus models rarely encode memory bounds. Real nodes do.

\n

If an attacker can force you to retain unbounded blocks or QCs, termination becomes irrelevant: the process dies. Your implementation must include:

\n\n

If you cannot express pruning in the spec, at least express it as an invariant in the code and test it under adversarial schedules.

\n

4) Instrumentation as proof preservation

\n

UC proofs provide indistinguishability. Operators need evidence:

\n\n

Instrument these as structured logs tied to:

\n\n

In my experience, the systems that survive incidents are the ones where you can reconstruct the protocol trace from partial evidence. That is “high assurance” in the real world.

\n

Authority critique (what the paper proves, and what it doesn’t)

\n

I respect this work. A UC-style termination proof for HotStuff is not easy. But the boundary between “proof” and “system” is where professionals get hurt.

\n

Limitations that matter if you build fleets:

\n
    \n
  1. UC idealizes resources. A polynomial-time adversary is not the same as an adversary who saturates your CPU with signature verification and forces queue collapse.
    2. \n
  2. Partial synchrony is a cliff. Backoff gives termination after GST, but real networks don’t announce GST. Mis-estimating Δ\\DeltaΔ yields either liveness collapse (too small) or unacceptable latency (too large).
    3. \n
  3. Implementation complexity is externalized. The proof doesn’t cover memory bounds, pruning correctness, persistence, replay, upgrade choreography, or operator mistakes — but those are where real outages live.
    4. \n
  4. The proof target is a model, not your code. Without a disciplined refinement mapping and implementation invariants, you can “prove HotStuff terminates” and still ship a non-terminating Rust node.
    5. \n
  5. Industrial heterogeneity breaks constants. IIoT and edge deployments are not homogeneous servers. If half your fleet is slower, leader success probability changes and effective Δ\\DeltaΔ changes.
    6. \n
\n

The lesson isn’t “ignore proofs”. The lesson is: treat proofs as specs for engineering guardrails, not as certificates of deployed behavior.

\n

The Future of High-Assurance Engineering

\n

High-assurance engineering is converging on a sober reality:

\n\n

The next generation of systems that “cannot fail” will not be built by adding more diagrams. They’ll be built by:

\n
    \n
  1. writing specs that include time, compute, and adversaries as first-class inputs,
    2. \n
  2. enforcing invariants in code (types + single-owner state machines + explicit scheduling),
    3. \n
  3. treating cryptographic parameters as part of liveness, not just security,
    4. \n
  4. and operationalizing the proof (monitoring + rollback + evidence).
    5. \n
\n

If you’re building in Rust, the path is clear: make the protocol state explicit, make invalid states unrepresentable, and then prove a refinement mapping — even if it starts as a disciplined argument before it becomes a mechanized proof.

\n

Evidence

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Zeng Y, Dong Z, Xu X. On the Termination of the HotStuff Protocol Within the Universally Composable Framework [Internet]. IACR Cryptology ePrint Archive, Report 2025/1560; 2025. Available from: https://eprint.iacr.org/2025/1560
\n
\n
\n
2.
Yin M, Malkhi D, Reiter MK, Gueta GG, Abraham I. HotStuff: BFT Consensus with Linearity and Responsiveness. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing (PODC ’19) [Internet]. 2019. Available from: https://arxiv.org/abs/1803.05069
\n
\n
\n
3.
Dwork C, Lynch N, Stockmeyer L. Consensus in the Presence of Partial Synchrony. In: Journal of the ACM [Internet]. 1988. p. 288–323. Available from: https://groups.csail.mit.edu/tds/papers/Lynch/jacm88.pdf
\n
\n
\n
4.
Canetti R. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: 42nd IEEE Symposium on Foundations of Computer Science (FOCS 2001) [Internet]. 2001. Available from: https://eprint.iacr.org/2000/067.pdf
\n
\n
\n
5.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2026-03-hotstuff-termination-uc-delay-attacks", "title": "Termination Is a Security Boundary: HotStuff Under UC, Delay Attacks, and the Uncomfortable Gap to Rust", "summary": "Paper note (March 2026): a UC-style termination proof for HotStuff, the real invariant it relies on, and what changes when you ship it as a low-level Rust system under adversarial latency.", "date_modified": "2026-03-28T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "consensus", "BFT", "formal-methods", "cryptography", "Rust", "security" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2026-03-secure-distributed-storage-erasure-coding-under-adversaries", "content_html": "
\n

Monthly research note. Theme: Deep Systems Notes.

\n
\n

TL;DR

\n

A focused memo on Secure Distributed Storage: Erasure Coding Under Adversaries: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Interface contracts are predicates:

\n
caller obeys Pcallee guarantees Q.\\text{caller obeys } P \\Rightarrow \\text{callee guarantees } Q.caller obeys Pcallee guarantees Q.
\n

Treat config as code: version it, review it, and monitor drift.

\n

Make assumptions executable: encode them as assertions, tests, and run-time checks.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  spec[\"Spec\"] --> impl[\"Impl\"]\n  impl --> proofs[\"Proofs / Tests\"]\n  proofs --> ops[\"Ops\"]\n  ops --> incidents[\"Incidents\"]\n  incidents --> spec
\n

Implementation notes

\n

Treat integration boundaries (FFI, services, queues) as formal interfaces.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Integration note: treat FFI/service boundaries as an API with invariants.\n// Encode invariants as types where possible, assertions otherwise.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2026-03-secure-distributed-storage-erasure-coding-under-adversaries", "title": "Secure Distributed Storage: Erasure Coding Under Adversaries", "summary": "Spec-driven research note (March 2026): Secure Distributed Storage: Erasure Coding Under Adversaries.", "date_modified": "2026-03-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "cryptography", "formal-methods", "security" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2026-02-verifiable-computation-as-infrastructure-proof-systems-at-sc", "content_html": "
\n

Monthly research note. Theme: Deep Systems Notes.

\n
\n

TL;DR

\n

Verifiable Computation as Infrastructure: Proof Systems at Scale as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Composability is the promise that proofs survive integration:

\n
AdvΠ1Π2AdvΠ1+AdvΠ2.\\mathrm{Adv}_{\\Pi_1\\circ \\Pi_2} \\le \\mathrm{Adv}_{\\Pi_1} + \\mathrm{Adv}_{\\Pi_2}.AdvΠ1Π2AdvΠ1+AdvΠ2.
\n

Make assumptions executable: encode them as assertions, tests, and run-time checks.

\n

Choose what to prove and what to monitor. Both are necessary in practice.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  boundary[\"Boundary\"] --> contract[\"Contract (P -> Q)\"]\n  contract --> test[\"Tests\"]\n  test --> monitor[\"Monitoring\"]\n  monitor --> incident[\"Incident\"]\n  incident --> contract
\n

Implementation notes

\n

If it’s not enforced, it’s not a contract.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Boundary contract template:\nPreconditions (P):\n- input validation, size limits, auth context\n- monotonic versions / idempotency keys\nPostconditions (Q):\n- durable state transitions\n- evidence emitted (audit/metrics)\nFailure modes:\n- explicit, typed, and observable
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2026-02-verifiable-computation-as-infrastructure-proof-systems-at-sc", "title": "Verifiable Computation as Infrastructure: Proof Systems at Scale", "summary": "Engineering notebook entry (February 2026): Verifiable Computation as Infrastructure: Proof Systems at Scale.", "date_modified": "2026-02-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "cryptography", "formal-methods", "security" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2026-01-composable-security-where-proofs-break-in-real-systems", "content_html": "
\n

Monthly research note. Theme: Deep Systems Notes.

\n
\n

TL;DR

\n

Composable Security: Where Proofs Break in Real Systems as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Interface contracts are predicates:

\n
caller obeys Pcallee guarantees Q.\\text{caller obeys } P \\Rightarrow \\text{callee guarantees } Q.caller obeys Pcallee guarantees Q.
\n

Make assumptions executable: encode them as assertions, tests, and run-time checks.

\n

Treat config as code: version it, review it, and monitor drift.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  boundary[\"Boundary\"] --> contract[\"Contract (P -> Q)\"]\n  contract --> test[\"Tests\"]\n  test --> monitor[\"Monitoring\"]\n  monitor --> incident[\"Incident\"]\n  incident --> contract
\n

Implementation notes

\n

Operational constraints are part of the design: deploy, rollback, and drift.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Integration note: treat FFI/service boundaries as an API with invariants.\n// Encode invariants as types where possible, assertions otherwise.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2026-01-composable-security-where-proofs-break-in-real-systems", "title": "Composable Security: Where Proofs Break in Real Systems", "summary": "Threat-model-first analysis (January 2026): Composable Security: Where Proofs Break in Real Systems.", "date_modified": "2026-01-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "cryptography", "formal-methods", "security" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-12-research-frontiers-composability-proofs-and-future-primitive", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

Research Frontiers: Composability, Proofs, and Future Primitives as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Inventory first. You can’t migrate what you can’t locate.

\n

Treat ops as part of the protocol: monitoring, rollback, and incident response.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  threat[\"Threat Model (quantum + classical)\"] --> design[\"Protocol Design\"]\n  design --> impl[\"Implementation (no_std where needed)\"]\n  impl --> verify[\"Verification (tests + formal)\"]\n  verify --> ops[\"Operationalization (rotation + monitoring)\"]\n  ops --> threat
\n

Implementation notes

\n

PQ readiness is a systems program: crypto, networking, ops, and UX must compose.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-12-research-frontiers-composability-proofs-and-future-primitive", "title": "Research Frontiers: Composability, Proofs, and Future Primitives", "summary": "Threat-model-first analysis (December 2025): Research Frontiers: Composability, Proofs, and Future Primitives.", "date_modified": "2025-12-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-11-long-lived-secrets-forward-secrecy-kems-and-key-erasure", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on Long-Lived Secrets: Forward Secrecy, KEMs, and Key Erasure: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Risk is a function of exposure and lifetime:

\n
riskexposure×lifetime×adversary_capability.\\mathrm{risk} \\approx \\mathrm{exposure} \\times \\mathrm{lifetime} \\times \\mathrm{adversary\\_capability}.riskexposure×lifetime×adversary_capability.
\n

Inventory first. You can’t migrate what you can’t locate.

\n

Treat ops as part of the protocol: monitoring, rollback, and incident response.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  inventory[\"Inventory\"] --> prioritize[\"Prioritize\"]\n  prioritize --> hybrid[\"Hybrid Deploy\"]\n  hybrid --> monitor[\"Monitor\"]\n  monitor --> cutover[\"Cutover\"]\n  cutover --> deprecate[\"Deprecate Old\"]
\n

Implementation notes

\n

Operationalize early: rollback and monitoring are part of the design.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-11-long-lived-secrets-forward-secrecy-kems-and-key-erasure", "title": "Long-Lived Secrets: Forward Secrecy, KEMs, and Key Erasure", "summary": "Design memo (November 2025): Long-Lived Secrets: Forward Secrecy, KEMs, and Key Erasure.", "date_modified": "2025-11-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-10-post-quantum-dos-surfaces-handshakes-amplification-and-mitig", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on Post-Quantum DoS Surfaces: Handshakes, Amplification, and Mitigations: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Risk is a function of exposure and lifetime:

\n
riskexposure×lifetime×adversary_capability.\\mathrm{risk} \\approx \\mathrm{exposure} \\times \\mathrm{lifetime} \\times \\mathrm{adversary\\_capability}.riskexposure×lifetime×adversary_capability.
\n

Treat ops as part of the protocol: monitoring, rollback, and incident response.

\n

Make downgrade resistance explicit and test it like a security feature.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  inventory[\"Inventory\"] --> prioritize[\"Prioritize\"]\n  prioritize --> hybrid[\"Hybrid Deploy\"]\n  hybrid --> monitor[\"Monitor\"]\n  monitor --> cutover[\"Cutover\"]\n  cutover --> deprecate[\"Deprecate Old\"]
\n

Implementation notes

\n

Design hybrid modes with explicit binding and observable outcomes.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-10-post-quantum-dos-surfaces-handshakes-amplification-and-mitig", "title": "Post-Quantum DoS Surfaces: Handshakes, Amplification, and Mitigations", "summary": "Adversarial-first deep dive (October 2025): Post-Quantum DoS Surfaces: Handshakes, Amplification, and Mitigations.", "date_modified": "2025-10-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-09-operationalizing-pqc-monitoring-rollback-and-incident-respon", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on Operationalizing PQC: Monitoring, Rollback, and Incident Response: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Make downgrade resistance explicit and test it like a security feature.

\n

Inventory first. You can’t migrate what you can’t locate.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  threat[\"Threat Model (quantum + classical)\"] --> design[\"Protocol Design\"]\n  design --> impl[\"Implementation (no_std where needed)\"]\n  impl --> verify[\"Verification (tests + formal)\"]\n  verify --> ops[\"Operationalization (rotation + monitoring)\"]\n  ops --> threat
\n

Implementation notes

\n

PQ readiness is a systems program: crypto, networking, ops, and UX must compose.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Migration scoreboard:\n- Inventory coverage (% of services/devices)\n- Hybrid enabled (% of traffic)\n- Negotiation failures (by client cohort)\n- Handshake cost (CPU/bandwidth p95/p99)\n- Downgrade attempts detected
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-09-operationalizing-pqc-monitoring-rollback-and-incident-respon", "title": "Operationalizing PQC: Monitoring, Rollback, and Incident Response", "summary": "Spec-driven research note (September 2025): Operationalizing PQC: Monitoring, Rollback, and Incident Response.", "date_modified": "2025-09-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/blog/quantum-tunneler", "content_html": "

Introduction

\n

As quantum computing capabilities advance, classical public-key schemes such as RSA and ECC face existential threats. Quantum Tunneler is a ground-up Rust implementation of a fully quantum-safe IPSec stack, demonstrating how to build secure network tunnels that resist adversaries equipped with quantum hardware. This article walks through the motivations, the core architecture, and the deep technical details that make Quantum Tunneler both performant and future-proof.

\n

The Quantum Threat & Motivation

\n
    \n
  1. Shor’s Algorithm breaks RSA/ECDSA/ECDH in polynomial time.
    2. \n
  2. Harvest-now, decrypt-later attacks put any recorded IPSec sessions at risk.
    3. \n
  3. Regulatory & compliance demands are shifting toward post-quantum readiness.
    4. \n
\n

Quantum Tunneler addresses these challenges by replacing the classical Diffie-Hellman and signature primitives at every layer of the IPSec stack with NIST-recommended post-quantum algorithms:

\n\n

Post-Quantum Cryptography Primer

\n

Before diving into the implementation, a quick recap of the two core algorithms:

\n\n

Both are implemented in pure Rust (with optional no_std) and integrated via generic traits:

\n
pub trait KeyEncapsulation {\n    type PublicKey; type SecretKey; type Ciphertext; type SharedSecret;\n    fn keygen() -> (PublicKey, SecretKey);\n    fn encapsulate(pk: &PublicKey) -> (Ciphertext, SharedSecret);\n    fn decapsulate(sk: &SecretKey, ct: &Ciphertext) -> SharedSecret;\n}\n\npub trait DigitalSignature {\n    type PublicKey; type SecretKey; type Signature;\n    fn keygen() -> (PublicKey, SecretKey);\n    fn sign(sk: &SecretKey, message: &[u8]) -> Signature;\n    fn verify(pk: &PublicKey, message: &[u8], sig: &Signature) -> bool;\n}
\n

IPSec & IKEv2 Overview

\n

IPSec provides confidentiality, integrity, and anti-replay for IP packets via two main components:

\n\n

Quantum Tunneler replaces:

\n\n

Architecture & Workspace Layout

\n

Quantum Tunneler is organized as a Rust workspace:

\n
quantum-tunneler/\n├── Cargo.toml            # workspace\n├── quantum_ipsec/        # core library\n│   ├── Cargo.toml\n│   └── src/\n│       ├── crypto/       # kyber.rs, falcon.rs, traits.rs\n│       ├── ikev2/        # initiator.rs, responder.rs, parser.rs\n│       ├── ipsec/        # esp.rs, ah.rs, sa.rs, policy.rs\n│       └── utils.rs      # common types & helpers\n└── cli/                  # command-line interface\n    ├── Cargo.toml\n    └── src/\n        ├── main.rs\n        └── commands/     # init.rs, connect.rs, status.rs, benchmark.rs
\n

Core Crate (quantum_ipsec)

\n\n

CLI (quantum-ipsec)

\n

All commands are thin wrappers around core APIs via clap. Sample usage:

\n
# Initialize local peer, generate PQC keypairs\nquantum-ipsec init --config default.toml\n\n# Negotiate IKEv2 with remote peer\nquantum-ipsec connect --peer 10.0.0.2 --mode tunnel\n\n# Inspect active SAs\nquantum-ipsec status --json\n\n# Benchmark handshake & packet throughput\nquantum-ipsec benchmark --duration 30s --payload-size 512
\n

Deep Dive: ESP Packet Flow

\n
    \n
  1. SA Lookup: find SA by SPI
    2. \n
  2. Key Derivation: derive symmetric key via HKDF from Kyber SharedSecret
    3. \n
  3. Encryption: encrypt payload with XChaCha20-Poly1305 (or pure-PQC hybrid)
    4. \n
  4. MAC: compute Falcon signature over header + ciphertext
    5. \n
  5. Output: [ SPI | Sequence Number | Ciphertext | Signature ]
    6. \n
\n
pub fn encrypt_packet(sa: &SecurityAssociation, plaintext: &[u8]) -> IpPacket {\n    let sym_key = hkdf_expand(&sa.shared_secret, b\"esp-key\");\n    let ciphertext = XChaCha20Poly1305::new(&sym_key).encrypt(nonce, plaintext);\n    let signature = Falcon::sign(&sa.sk_sig, &ciphertext);\n    IpPacket { spi: sa.spi, seq: sa.seq_next(), data: ciphertext, auth: signature }\n}
\n

Performance Considerations & Benchmarking

\n\n

Testing & Validation

\n\n

Future Extensions

\n\n

Conclusion

\n

Quantum Tunneler demonstrates that it is entirely feasible to implement a production-grade IPSec stack with post-quantum security in Rust. By modularizing the core cryptographic primitives, protocol logic, and user interface, the project provides a blueprint for next-generation secure networking—ready for the era of quantum adversaries. Contributions, feedback, and forks are highly encouraged!

", "url": "https://mayckongiovani.xyz/blog/quantum-tunneler", "title": "Quantum Tunneler: A Quantum-Safe IPSec Stack in Rust", "summary": "An in-depth technical deep-dive into Quantum Tunneler—an end-to-end, Rust-based implementation of a post-quantum IPSec stack leveraging Kyber and Falcon.", "date_modified": "2025-08-03T00:00:00.000Z", "tags": [ "post-quantum-cryptography", "Rust", "IPSec", "cryptography", "no-std", "network-security" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-08-quantum-safe-vpn-design-lessons-from-implementing-a-pq-ipsec", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

Quantum-Safe VPN Design: Lessons from Implementing a PQ IPSec Stack as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Make downgrade resistance explicit and test it like a security feature.

\n

Treat ops as part of the protocol: monitoring, rollback, and incident response.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  inventory[\"Inventory\"] --> prioritize[\"Prioritize\"]\n  prioritize --> hybrid[\"Hybrid Deploy\"]\n  hybrid --> monitor[\"Monitor\"]\n  monitor --> cutover[\"Cutover\"]\n  cutover --> deprecate[\"Deprecate Old\"]
\n

Implementation notes

\n

Design hybrid modes with explicit binding and observable outcomes.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-08-quantum-safe-vpn-design-lessons-from-implementing-a-pq-ipsec", "title": "Quantum-Safe VPN Design: Lessons from Implementing a PQ IPSec Stack", "summary": "Threat-model-first analysis (August 2025): Quantum-Safe VPN Design: Lessons from Implementing a PQ IPSec Stack.", "date_modified": "2025-08-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/quantumsafe-finance-phase-2", "content_html": "

\n \n \n \n \n

\n

Introduction

\n

In 2025, we stand on the brink of a seismic shift in information security. Quantum computers, harnessing phenomena such as superposition and entanglement, threaten to undermine nearly all public-key cryptosystems in use today. At QuantumSafe Finance, we’re building an Open-Core framework that blends high-performance post-quantum primitives with an intelligent audit pipeline—allowing financial institutions to prepare now for a quantum future while maintaining compliance and performance.

\n

This article explores:

\n
    \n
  1. Why post-quantum cryptography (PQC) is essential for fintech and banking
    2. \n
  2. The threat models introduced by large-scale quantum hardware
    3. \n
  3. Our Phase 2 “Audit Lite” architecture and progress
    4. \n
  4. A deep technical dive into audit pipelines, ML anomaly detection, and rule engines
    5. \n
  5. Integration examples, performance numbers, and next steps
    6. \n
\n
\n

“The only secure computer is one that’s powered off, locked in a safe, and buried forty feet underground.”\n― Gene Spafford, paraphrased

\n

We’re not burying servers underground, but we are building tomorrow’s cryptographic defenses today.

\n
\n
\n

1. Why Post-Quantum Cryptography Matters

\n

1.1 The Quantum Threat Model

\n\n

Financial systems rely on RSA/ECC for TLS handshakes, digital signatures, code signing, and blockchain consensus. A single fault in key management can cascade into massive breaches:

\n\n

1.2 Industry Context

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
AlgorithmClassical SecurityQuantum-Resilient Alternative
RSA-2048~112-bitKyber-512 (CSPR > 128-bit)
ECC-P256~128-bitDilithium-II (≥128-bit)
HMAC-SHA2256-bitSHA2-256 w/ doubled key length
\n

PQC standards are finalized; NIST approved CRYSTALS-Kyber, Dilithium, Falcon, and SPHINCS+ in late 2024. Integration at scale remains the challenge.

\n
\n

2. Phase 2 – “Audit Lite” Module

\n

We’ve completed Phase 1 (core PQC Rust engine, multi-language bindings, TLS sidecar PoC). Now in Phase 2, we’re delivering:

\n\n

2.1 Goals & Scope

\n
    \n
  1. Detect misuse patterns such as\n\n
    2. \n
  2. Automate regulatory compliance checks (PCI DSS, ISO 27001, LGPD)
    3. \n
  3. Minimize operational overhead: add < 1 ms per transaction, scale to 5 K TPS per node
    4. \n
\n
\n

3. Technical Deep Dive

\n

3.1 Log Ingestion Pipeline

\n
# Helm values for Audit Lite deployment\naudit:\n  enabled: true\n  kafka:\n    brokers:\n      - kafka1:9092\n      - kafka2:9092\n    topic: pqc-logs\n  elasticsearch:\n    hosts:\n      - es1:9200\n      - es2:9200
\n
    \n
  1. \n

    Producers (sidecar + core engine) emit structured JSON logs:

    \n
    {\n  \"timestamp\": \"2025-08-03T12:45:23Z\",\n  \"component\": \"pqc-engine\",\n  \"operation\": \"sign\",\n  \"algorithm\": \"Dilithium-II\",\n  \"duration_ms\": 0.45,\n  \"status\": \"OK\",\n  \"client_id\": \"accounting-service\"\n}
    \n
    2. \n
  2. \n

    Kafka provides durable buffering and partitioned scale.

    \n
    3. \n
  3. \n

    Logstash (or custom Python consumer) transforms and pushes to Elasticsearch indices with time-based sharding.

    \n
    4. \n
\n

3.2 Rule Engine (YARA-like)

\n
# Example rule\nrules:\n  - id: late-night-signs\n    description: \"Signing operations between 02:00–04:00 UTC\"\n    condition: |\n      operation == \"sign\" &&\n      (hour(timestamp) >= 2 && hour(timestamp) < 4)
\n\n

3.3 ML-Driven Anomaly Detection

\n
# Simplified example: Isolation Forest on duration_ms\nfrom sklearn.ensemble import IsolationForest\nmodel = IsolationForest(contamination=0.01)\nX = load_feature_matrix(index=\"pqc-logs-*\", features=[\"duration_ms\", \"payload_size\"])\nmodel.fit(X)\nanomalies = model.predict(X)  # -1 indicates anomaly
\n\n

3.4 Dashboard & Reports

\n
<!-- React snippet: rendering alert counts -->\n<AlertChart\n  data={fetch(\"/api/audit/alerts?range=24h\")}\n  xKey=\"rule_id\"\n  yKey=\"count\"\n/>
\n\n
\n

4. Integration Example

\n

Developers can integrate Audit Lite with a few YAML lines:

\n
quantumsafe:\n  pqcSidecar:\n    image: quantumsafe/pqc-sidecar:2.0.0\n    args:\n      - --audit-topic=pqc-logs\n  auditLite:\n    enabled: true\n    rulesFile: /etc/quantumsafe/rules.yaml
\n

In Kubernetes: deploy as two containers in the same Pod (sidecar + audit service). No code changes required in the application.

\n
\n

5. Performance & Scaling

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
MetricMeasured Result
Sidecar handshake overhead0.5 ms ± 0.1 ms
Audit pipeline end-to-end latency8 ms (median)
ML model inference time1.2 ms per event
Horizontal scaling10K events/s per instance
\n

Linear scaling demonstrated up to 100K events/s across a 10-node cluster.

\n
\n

6. Next Steps & Roadmap

\n
    \n
  1. \n

    Phase 3 – Full Enterprise Modules

    \n\n
    2. \n
  2. \n

    Phase 4 – Certification & Compliance Tooling

    \n\n
    3. \n
  3. \n

    Phase 5 – Ecosystem & Marketplace

    \n\n
    4. \n
\n
\n

Conclusion

\n

Phase 2 represents a crucial milestone: enabling intelligent, automated auditing alongside quantum-safe cryptography. By addressing both the cryptographic threat and operational compliance, we position QuantumSafe Finance as a research-driven, production-ready framework—poised to become the standard for financial institutions navigating the quantum era.

\n
# Quick reference: Phase status\nphase: 2\ncore: complete\nauditLite: in-development\nenterpriseModules: pending
\n
", "url": "https://mayckongiovani.xyz/pensieve/quantumsafe-finance-phase-2", "title": "QuantumSafe Finance – Deep Technical Overview (Phase 2)", "summary": "Comprehensive article on the motivations, architecture, and current Phase 2 development of the QuantumSafe Finance Open-Core PQC platform.", "date_modified": "2025-08-01T00:00:00.000Z", "tags": [ "post-quantum", "cryptography", "fintech", "audit" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-07-no-std-crypto-in-rust-determinism-side-channels-and-constrai", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

no_std Crypto in Rust: Determinism, Side Channels, and Constraints as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Risk is a function of exposure and lifetime:

\n
riskexposure×lifetime×adversary_capability.\\mathrm{risk} \\approx \\mathrm{exposure} \\times \\mathrm{lifetime} \\times \\mathrm{adversary\\_capability}.riskexposure×lifetime×adversary_capability.
\n

Make downgrade resistance explicit and test it like a security feature.

\n

Inventory first. You can’t migrate what you can’t locate.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  threat[\"Threat Model (quantum + classical)\"] --> design[\"Protocol Design\"]\n  design --> impl[\"Implementation (no_std where needed)\"]\n  impl --> verify[\"Verification (tests + formal)\"]\n  verify --> ops[\"Operationalization (rotation + monitoring)\"]\n  ops --> threat
\n

Implementation notes

\n

Operationalize early: rollback and monitoring are part of the design.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-07-no-std-crypto-in-rust-determinism-side-channels-and-constrai", "title": "no_std Crypto in Rust: Determinism, Side Channels, and Constraints", "summary": "Engineering notebook entry (July 2025): no_std Crypto in Rust: Determinism, Side Channels, and Constraints.", "date_modified": "2025-07-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/neurotradex-architecture", "content_html": "

\n \n \n \n \n

\n
\n

NeuroTradeX is an advanced, modular trading platform designed for real-time, explainable AI in financial and crypto markets.\nIt was built with a focus on transparency, security, extensibility, and performance — combining technologies like LSTM, Transformers, SHAP, WebSocket streaming, Dockerized services, and real exchange integrations.

\n
\n
\n

⚙️ System Overview

\n

At its core, NeuroTradeX is composed of 5 decoupled services:

\n
    \n
  1. data-core: feature pipelines, OHLCV ingestion, sentiment processing via LLMs
    2. \n
  2. model-engine: deep learning prediction using LSTM, Transformer, and SHAP explanations
    3. \n
  3. exec-core: real or simulated execution (Binance, paper trading), with risk controls
    4. \n
  4. dashboard-ui: live Next.js UI to monitor model confidence, signal history, logs
    5. \n
  5. alert-system: async, multi-channel alerts via Telegram, Discord, and Webhooks
    6. \n
\n

The entire system is open-source and hosted at:\n🔗 gitlab.com/neurotradex

\n
\n

🧱 Modular Architecture

\n

Each module runs independently, communicates through structured JSON files or WebSocket streams, and is deployable via Docker Compose or Kubernetes.

\n
\n

📊 Data Pipeline Highlights

\n

The data-core module is responsible for ingesting:

\n\n
technicals.py
\n
def compute_macd(df):\n    macd = df['close'].ewm(span=12).mean() - df['close'].ewm(span=26).mean()\n    signal = macd.ewm(span=9).mean()\n    return macd, signal
\n
\n

🧠 AI Modeling: model-engine

\n

This module provides both supervised learning and interpretable AI via:

\n\n
shap_wrapper.py
\n
explainer = shap.Explainer(model, sample_data)\nshap_values = explainer(data_point)\nshap.plots.waterfall(shap_values[0])
\n

All models export signal objects in a common schema for consumption by the exec-core.

\n
\n

🛡️ Execution Engine: exec-core

\n

Built with security and precision in mind, this module handles:

\n\n
trade_executor.py
\n
if risk_manager.validate(signal):\n    executor.place_order(signal.asset, signal.side, size)\nelse:\n    fallback.notify(signal, reason=\"risk_threshold_breached\")
\n

Trade logs and decisions are timestamped and persisted locally.

\n
\n

📺 UI: dashboard-ui

\n

Written in Next.js + Tailwind, the dashboard:

\n\n
LiveChart.tsx
\n
<LightweightChart\n  data={ohlcv}\n  signals={executedSignals}\n  overlays={shapAttributions}\n/>
\n
\n

🔔 Real-Time Notifications: alert-system

\n

This service asynchronously pushes alerts to:

\n\n

It uses jinja2 templating, retries, exponential backoff, and tokenized configs via .env.

\n
telegram_alert.py
\n
def send(signal: TradeSignal):\n    message = render_template(\"signal_message.md\", signal)\n    bot.send_message(chat_id=chat, text=message, parse_mode=\"Markdown\")
\n

Logs are grouped by date in /logs/alerts/YYYY-MM-DD.log.

\n
\n

🧪 Testing & CI/CD

\n

Each module is:

\n\n
\n

🌍 Final Thoughts

\n

Developing NeuroTradeX was an exercise in bringing together:

\n\n

Its open-source nature allows contributors, researchers, and traders to explore, extend, and build upon a transparent architecture built for reliability and real-world applicability.

\n

Whether you're working in DeFi, TradFi, or AI-driven quantitative systems, NeuroTradeX provides a foundation ready to grow.

\n
\n

Repository: gitlab.com/neurotradex

\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/neurotradex-architecture", "title": "Building NeuroTradeX — Architecting an AI-Driven Trading System", "summary": "A deep-dive into the modular design, architecture, and implementation of the NeuroTradeX open-source platform for financial and crypto trading.", "date_modified": "2025-06-18T00:00:00.000Z", "tags": [ "AI", "Trading", "Crypto", "Fintech", "Engineering", "Rust", "Python" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-06-bft-with-pq-primitives-when-crypto-costs-dominate", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on BFT with PQ Primitives: When Crypto Costs Dominate: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Inventory first. You can’t migrate what you can’t locate.

\n

Make downgrade resistance explicit and test it like a security feature.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  inventory[\"Inventory\"] --> prioritize[\"Prioritize\"]\n  prioritize --> hybrid[\"Hybrid Deploy\"]\n  hybrid --> monitor[\"Monitor\"]\n  monitor --> cutover[\"Cutover\"]\n  cutover --> deprecate[\"Deprecate Old\"]
\n

Implementation notes

\n

Operationalize early: rollback and monitoring are part of the design.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-06-bft-with-pq-primitives-when-crypto-costs-dominate", "title": "BFT with PQ Primitives: When Crypto Costs Dominate", "summary": "Spec-driven research note (June 2025): BFT with PQ Primitives: When Crypto Costs Dominate.", "date_modified": "2025-06-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-05-quantum-resilient-identity-device-human-online-offline", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on Quantum-Resilient Identity: Device + Human, Online + Offline: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Make downgrade resistance explicit and test it like a security feature.

\n

Inventory first. You can’t migrate what you can’t locate.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  inventory[\"Inventory\"] --> prioritize[\"Prioritize\"]\n  prioritize --> hybrid[\"Hybrid Deploy\"]\n  hybrid --> monitor[\"Monitor\"]\n  monitor --> cutover[\"Cutover\"]\n  cutover --> deprecate[\"Deprecate Old\"]
\n

Implementation notes

\n

PQ readiness is a systems program: crypto, networking, ops, and UX must compose.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-05-quantum-resilient-identity-device-human-online-offline", "title": "Quantum-Resilient Identity: Device + Human, Online + Offline", "summary": "Adversarial-first deep dive (May 2025): Quantum-Resilient Identity: Device + Human, Online + Offline.", "date_modified": "2025-05-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/cpzkp-chaum-pedersen-zkp", "content_html": "

\"CPZKp

\n
\n

“You don’t start with ZK. ZK starts with you.” — someone probably

\n
\n

Introduction

\n

In late 2023, the seed for CPZKp was planted: a lightweight, modular, and no-bullshit Rust library for zero-knowledge proofs using the Chaum-Pedersen protocol. The motivation was personal and practical — to build a foundation that respects cryptographic rigor, while remaining usable in real-world systems, especially those relying on elliptic curve cryptography (ECC).

\n

This post is not a “hello world.” It’s a journey — from group theory to Curve25519 bindings, from low-level proof serialization to full WASM exports. If you're looking for a project that goes from first principles to full-stack cryptography, buckle up.

\n
\n

Motivation

\n

By 2023, a few realities had become clear:

\n
    \n
  1. Most zero-knowledge implementations are either academic toys or tightly bound to specific use cases (blockchains, zkSNARKs, etc).
    2. \n
  2. Libraries like bulletproofs or zkcrypto are excellent, but bloated when you need just authentication proofs.
    3. \n
  3. There was no ergonomic, extensible, and no_std-capable Chaum-Pedersen implementation in Rust.
    4. \n
\n
\n

CPZKp was born from frustration — and fascination.

\n
\n
\n

What is the Chaum-Pedersen ZKP?

\n

It’s a proof of equality of discrete logs:\nIf you know x such that g^x = A and h^x = B, you can prove knowledge of x without revealing it.

\n

This is essential in:

\n\n

The challenge was: how do we express this cleanly across scalar groups and ECC, and still support Curve25519?

\n
\n

Designing the Library

\n

We started with a few key design principles:

\n

Protocols as Traits

\n
pub trait ZkpProtocol {\n    type Secret;\n    type Public;\n    type Proof;\n\n    fn prove(secret: &Self::Secret, pub_input: &Self::Public) -> Self::Proof;\n    fn verify(public: &Self::Public, proof: &Self::Proof) -> bool;\n}
\n

Protocols are swappable. This allows for different backends (secp256k1, Ristretto, ScalarGroup) and experimentation with variants.

\n

Scalar and ECC Support

\n
mod scalar;\nmod ecc;
\n

Internally, both conform to common traits like GroupElement, enabling unified logic in proof generators and verifiers.

\n
\n

Serialization: Making Proofs Portable

\n

One key requirement was to serialize proofs for transmission.

\n

We used serde and implemented robust custom serialization for scalar and ECC formats:

\n
#[derive(Serialize, Deserialize)]\npub struct ChaumPedersenProof {\n    pub t1: GroupElement,\n    pub t2: GroupElement,\n    pub challenge: Scalar,\n    pub response: Scalar,\n}
\n

This allowed JSON/web compatibility from day one.

\n
\n

Testing the Unprovable

\n

We didn’t stop at unit tests. CPZKp includes:

\n\n
proptest! {\n    #[test]\n    fn prove_and_verify_should_hold(ref s in any::<Scalar>()) {\n        let (pk, proof) = ChaumPedersen::prove(&s);\n        prop_assert!(ChaumPedersen::verify(&pk, &proof));\n    }\n}
\n
\n

WASM and Python Bindings

\n

We wanted this lib usable in:

\n\n

Result:

\n\n
#[wasm_bindgen]\npub fn prove_json(sk: &str, pk: &str) -> String {\n    ...\n}
\n

Now CPZKp runs in browsers and Jupyter notebooks.

\n
\n

CLI Tool

\n

We implemented a command-line utility for quick usage:

\n
cpzkp gen-key\ncpzkp prove --msg \"authenticate me\"\ncpzkp verify --proof proof.json
\n

Backed by clap, this made it ideal for scripting, automation, or even classroom demos.

\n
\n

Performance

\n

Benchmarks were done using criterion. Example:

\n
group                           time\nChaumPedersen_scalar_prove     1.2 µs\nChaumPedersen_ecc_prove        4.8 µs\nChaumPedersen_verify_scalar    0.9 µs\nChaumPedersen_verify_ecc       3.7 µs
\n

Enough for embedded use and authentication services.

\n
\n

What We Learned

\n\n
\n

Roadmap

\n\n
\n

Conclusion

\n

CPZKp isn’t another toy crypto lib. It’s a usable, modular ZKP toolkit built from real-world needs, shaped by frustration, and delivered with love — in Rust.

\n

Try it. Break it. Extend it.

\n
\n

GitHub

", "url": "https://mayckongiovani.xyz/pensieve/cpzkp-chaum-pedersen-zkp", "title": "CPZKp - Building Practical Zero-Knowledge Proofs in Rust from Scratch", "summary": "A deep technical dive into the motivations, design, and implementation of CPZKp, a Chaum-Pedersen based ZK authentication library in Rust.", "date_modified": "2025-04-28T00:00:00.000Z", "tags": [ "Rust", "cryptography", "zero-knowledge", "chaum-pedersen", "ecc", "curve25519", "security", "portfolio" ] }, { "id": "https://mayckongiovani.xyz/pensieve/pqc-iiot-post-quantum-cryptography-rust", "content_html": "

\"Post-Quantum

\n
\n

\"Quantum-safe infrastructure starts at the silicon level. We built pqc-iiot to be that foundation.\"

\n
\n

Why We Built pqc-iiot

\n

The looming threat of quantum computing has made it imperative to rethink how we secure digital communication — especially in Industrial IoT (IIoT) systems, where devices are often deployed for decades with limited ability to patch or upgrade.

\n

pqc-iiot is a modular, no_std-compatible Rust crate designed from scratch to bring post-quantum cryptographic primitives to resource-constrained devices.

\n

Our goal was to build a portable, memory-efficient, and secure-by-design library that supports Kyber (KEM), Falcon (signatures), and other NIST PQC algorithms with real-world applicability in constrained IIoT environments.

\n

Design Requirements

\n

We started with some hard non-negotiables:

\n\n

Architecture Overview

\n

The crate follows a modular layout:

\n
src/\n├── kem.rs         # Kyber / Saber (KEM)\n├── sign.rs        # Falcon / Dilithium (signatures)\n├── profile.rs     # CryptoProfile abstraction layer\n├── utils.rs       # RNG, hashing, key encoding\n├── lib.rs         # Public API
\n

Supported Algorithms

\n

We currently support:

\n\n

These can be selected via Cargo features, or grouped into profiles.

\n

Crypto Profiles

\n

To simplify configuration and usage in constrained environments, we introduced CryptoProfile, a high-level abstraction for pairing a KEM with a digital signature scheme.

\n
let profile = CryptoProfile::KyberFalcon;\nlet (pk, sk) = profile.generate_keypair();\nlet ciphertext = profile.encapsulate(&pk);\nlet signature = profile.sign(&sk, message);
\n

This allows developers to pick from balanced, high-security, or low-power profiles depending on hardware capabilities.

\n

Integration with IIoT Protocols

\n

The library was built to be integrated into:

\n\n
\n

Secure payloads are encapsulated using Kyber and authenticated with Falcon, enabling end-to-end post-quantum secure messaging.

\n
\n

Performance & Footprint

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
OperationKyber512Falcon512Platform
Keygen~3.1ms~9.4msSTM32F4 (168MHz)
Encaps/Decaps~2.8msN/A
Sign/VerifyN/A~8.9ms
RAM (peak)<32KB<45KB
\n\n

Security Considerations

\n\n

Development Process

\n
    \n
  1. Phase 1 — Research & algorithm selection
    2. \n
  2. Phase 2no_std crate skeleton, Kyber+Falcon working
    3. \n
  3. Phase 3 — MQTT/CoAP integration, secure messaging
    4. \n
  4. Phase 4 — Benchmarks, fuzz testing, memory profiling
    5. \n
  5. Phase 5 — Expansion with Saber, Dilithium, BIKE
    6. \n
  6. Phase 6 — Introduction of CryptoProfile abstraction
    7. \n
\n

Limitations

\n\n

Future Directions

\n\n

Try It Now

\n
cargo add pqc-iiot --git https://github.com/doomhammerhell/pqc-iiot
\n

Final Thoughts

\n
\n

We don’t just need stronger encryption — we need encryption that survives the next 30 years.

\n
\n

pqc-iiot is an evolving foundation for secure-by-default IIoT systems. Whether you’re securing sensors, edge gateways, or autonomous machines, this crate is designed to give you the cryptographic edge in a quantum future.

\n
\n

💬 Questions? PRs and issues welcome at GitHub.

\n
\n---
", "url": "https://mayckongiovani.xyz/pensieve/pqc-iiot-post-quantum-cryptography-rust", "title": "Post-Quantum Cryptography for Industrial IoT with Rust", "summary": "A deep technical dive into the pqc-iiot Rust crate for secure, no_std, post-quantum cryptography in embedded and IIoT environments.", "date_modified": "2025-04-28T00:00:00.000Z", "tags": [ "post-quantum", "rust", "iiot", "cryptography", "no_std", "embedded" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-04-pqc-for-blockchain-signatures-wallet-ux-size-and-verificatio", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on PQC for Blockchain Signatures: Wallet UX, Size, and Verification Cost: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Make downgrade resistance explicit and test it like a security feature.

\n

Treat ops as part of the protocol: monitoring, rollback, and incident response.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  inventory[\"Inventory\"] --> prioritize[\"Prioritize\"]\n  prioritize --> hybrid[\"Hybrid Deploy\"]\n  hybrid --> monitor[\"Monitor\"]\n  monitor --> cutover[\"Cutover\"]\n  cutover --> deprecate[\"Deprecate Old\"]
\n

Implementation notes

\n

PQ readiness is a systems program: crypto, networking, ops, and UX must compose.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-04-pqc-for-blockchain-signatures-wallet-ux-size-and-verificatio", "title": "PQC for Blockchain Signatures: Wallet UX, Size, and Verification Cost", "summary": "Adversarial-first deep dive (April 2025): PQC for Blockchain Signatures: Wallet UX, Size, and Verification Cost.", "date_modified": "2025-04-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-03-quantum-safe-secure-boot-firmware-roots-and-pq-signatures", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

Quantum-Safe Secure Boot: Firmware Roots and PQ Signatures as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Risk is a function of exposure and lifetime:

\n
riskexposure×lifetime×adversary_capability.\\mathrm{risk} \\approx \\mathrm{exposure} \\times \\mathrm{lifetime} \\times \\mathrm{adversary\\_capability}.riskexposure×lifetime×adversary_capability.
\n

Make downgrade resistance explicit and test it like a security feature.

\n

Inventory first. You can’t migrate what you can’t locate.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  inventory[\"Inventory\"] --> prioritize[\"Prioritize\"]\n  prioritize --> hybrid[\"Hybrid Deploy\"]\n  hybrid --> monitor[\"Monitor\"]\n  monitor --> cutover[\"Cutover\"]\n  cutover --> deprecate[\"Deprecate Old\"]
\n

Implementation notes

\n

Design hybrid modes with explicit binding and observable outcomes.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-03-quantum-safe-secure-boot-firmware-roots-and-pq-signatures", "title": "Quantum-Safe Secure Boot: Firmware Roots and PQ Signatures", "summary": "Engineering notebook entry (March 2025): Quantum-Safe Secure Boot: Firmware Roots and PQ Signatures.", "date_modified": "2025-03-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-02-hybrid-key-management-rotations-across-algorithm-families", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on Hybrid Key Management: Rotations Across Algorithm Families: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Treat ops as part of the protocol: monitoring, rollback, and incident response.

\n

Make downgrade resistance explicit and test it like a security feature.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  threat[\"Threat Model (quantum + classical)\"] --> design[\"Protocol Design\"]\n  design --> impl[\"Implementation (no_std where needed)\"]\n  impl --> verify[\"Verification (tests + formal)\"]\n  verify --> ops[\"Operationalization (rotation + monitoring)\"]\n  ops --> threat
\n

Implementation notes

\n

Design hybrid modes with explicit binding and observable outcomes.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-02-hybrid-key-management-rotations-across-algorithm-families", "title": "Hybrid Key Management: Rotations Across Algorithm Families", "summary": "Spec-driven research note (February 2025): Hybrid Key Management: Rotations Across Algorithm Families.", "date_modified": "2025-02-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2025-01-quantum-threat-modeling-for-infrastructure-what-changes-what", "content_html": "
\n

Monthly research note. Theme: Quantum-Resilient Systems Engineering.

\n
\n

TL;DR

\n

A focused memo on Quantum Threat Modeling for Infrastructure: What Changes, What Doesn’t: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Hybrid composition should be explicit and transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Inventory first. You can’t migrate what you can’t locate.

\n

Make downgrade resistance explicit and test it like a security feature.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  threat[\"Threat Model (quantum + classical)\"] --> design[\"Protocol Design\"]\n  design --> impl[\"Implementation (no_std where needed)\"]\n  impl --> verify[\"Verification (tests + formal)\"]\n  verify --> ops[\"Operationalization (rotation + monitoring)\"]\n  ops --> threat
\n

Implementation notes

\n

Operationalize early: rollback and monitoring are part of the design.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// PQ migration note: \"enabled\" is not \"safe\" unless binding and downgrade resistance are explicit.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2025-01-quantum-threat-modeling-for-infrastructure-what-changes-what", "title": "Quantum Threat Modeling for Infrastructure: What Changes, What Doesn’t", "summary": "Adversarial-first deep dive (January 2025): Quantum Threat Modeling for Infrastructure: What Changes, What Doesn’t.", "date_modified": "2025-01-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "security-critical-infrastructure", "protocol-design", "cryptography" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-12-designing-for-catastrophic-failure-compartmentalization-and-", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Designing for Catastrophic Failure: Compartmentalization and Recovery: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Resilience is about containment:

\n
damageiblast_radius(i)withblast_radius(i) bounded by design.\\text{damage} \\le \\sum_i \\text{blast\\_radius}(i)\\quad\\text{with}\\quad \\text{blast\\_radius}(i)\\ \\text{bounded by design}.damageiblast_radius(i)withblast_radius(i) bounded by design.
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Engineer friction where attackers pay but legitimate users don’t (asymmetric controls).

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  edge[\"Edge (rate limits + WAF)\"] --> core[\"Core Services\"]\n  core --> data[\"Data Plane\"]\n  data --> control[\"Control Plane\"]\n  control --> edge\n  siem[\"Detection/Response\"] --> core\n  siem --> edge
\n

Implementation notes

\n

Prefer containment over heroics: isolate blast radius, keep core correct.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Evidence checklist:\n- Immutable logs (append-only)\n- Signed audit events\n- Time sync monitoring\n- Dependency health snapshots\n- Config change history
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-12-designing-for-catastrophic-failure-compartmentalization-and-", "title": "Designing for Catastrophic Failure: Compartmentalization and Recovery", "summary": "Spec-driven research note (December 2024): Designing for Catastrophic Failure: Compartmentalization and Recovery.", "date_modified": "2024-12-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-11-zkp-systems-engineering-provers-verifiers-and-operational-co", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

ZKP Systems Engineering: Provers, Verifiers, and Operational Cost as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Engineer friction where attackers pay but legitimate users don’t (asymmetric controls).

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  attack[\"Attack\"] --> detect[\"Detect\"]\n  detect --> contain[\"Contain\"]\n  contain --> recover[\"Recover\"]\n  recover --> learn[\"Learn/Regress\"]\n  learn --> detect
\n

Implementation notes

\n

Prefer containment over heroics: isolate blast radius, keep core correct.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Degraded-mode table (example):\nOperation | Normal | Under attack | Rationale\nAuth      | full   | strict       | prevent abuse\nReads     | full   | cached/limited| protect core\nWrites    | full   | queued/limited| preserve integrity\nAdmin     | full   | JIT + MFA     | reduce blast radius
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-11-zkp-systems-engineering-provers-verifiers-and-operational-co", "title": "ZKP Systems Engineering: Provers, Verifiers, and Operational Cost", "summary": "Threat-model-first analysis (November 2024): ZKP Systems Engineering: Provers, Verifiers, and Operational Cost.", "date_modified": "2024-11-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-10-formal-verification-of-crypto-protocols-models-gaps-and-pain", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Formal Verification of Crypto Protocols: Models, Gaps, and Pain: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Define which operations fail closed vs fail open. Do it before an incident.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  attack[\"Attack\"] --> detect[\"Detect\"]\n  detect --> contain[\"Contain\"]\n  contain --> recover[\"Recover\"]\n  recover --> learn[\"Learn/Regress\"]\n  learn --> detect
\n

Implementation notes

\n

Degraded modes are design artifacts. Write them down and test them.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Degraded-mode table (example):\nOperation | Normal | Under attack | Rationale\nAuth      | full   | strict       | prevent abuse\nReads     | full   | cached/limited| protect core\nWrites    | full   | queued/limited| preserve integrity\nAdmin     | full   | JIT + MFA     | reduce blast radius
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-10-formal-verification-of-crypto-protocols-models-gaps-and-pain", "title": "Formal Verification of Crypto Protocols: Models, Gaps, and Pain", "summary": "Spec-driven research note (October 2024): Formal Verification of Crypto Protocols: Models, Gaps, and Pain.", "date_modified": "2024-10-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-09-secure-enclaves-in-distributed-systems-remote-attestation-an", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Secure Enclaves in Distributed Systems: Remote Attestation and Trust: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Engineer friction where attackers pay but legitimate users don’t (asymmetric controls).

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  edge[\"Edge (rate limits + WAF)\"] --> core[\"Core Services\"]\n  core --> data[\"Data Plane\"]\n  data --> control[\"Control Plane\"]\n  control --> edge\n  siem[\"Detection/Response\"] --> core\n  siem --> edge
\n

Implementation notes

\n

Keep evidence pipelines alive: you can’t respond blind.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Degraded-mode table (example):\nOperation | Normal | Under attack | Rationale\nAuth      | full   | strict       | prevent abuse\nReads     | full   | cached/limited| protect core\nWrites    | full   | queued/limited| preserve integrity\nAdmin     | full   | JIT + MFA     | reduce blast radius
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-09-secure-enclaves-in-distributed-systems-remote-attestation-an", "title": "Secure Enclaves in Distributed Systems: Remote Attestation and Trust", "summary": "Spec-driven research note (September 2024): Secure Enclaves in Distributed Systems: Remote Attestation and Trust.", "date_modified": "2024-09-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-08-metadata-and-privacy-the-hard-part-isn-t-encryption", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

Metadata and Privacy: The Hard Part Isn’t Encryption as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Resilience is about containment:

\n
damageiblast_radius(i)withblast_radius(i) bounded by design.\\text{damage} \\le \\sum_i \\text{blast\\_radius}(i)\\quad\\text{with}\\quad \\text{blast\\_radius}(i)\\ \\text{bounded by design}.damageiblast_radius(i)withblast_radius(i) bounded by design.
\n

Define which operations fail closed vs fail open. Do it before an incident.

\n

Treat observability as a dependency: protect it from overload and manipulation.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  edge[\"Edge (rate limits + WAF)\"] --> core[\"Core Services\"]\n  core --> data[\"Data Plane\"]\n  data --> control[\"Control Plane\"]\n  control --> edge\n  siem[\"Detection/Response\"] --> core\n  siem --> edge
\n

Implementation notes

\n

Keep evidence pipelines alive: you can’t respond blind.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Evidence checklist:\n- Immutable logs (append-only)\n- Signed audit events\n- Time sync monitoring\n- Dependency health snapshots\n- Config change history
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-08-metadata-and-privacy-the-hard-part-isn-t-encryption", "title": "Metadata and Privacy: The Hard Part Isn’t Encryption", "summary": "Threat-model-first analysis (August 2024): Metadata and Privacy: The Hard Part Isn’t Encryption.", "date_modified": "2024-08-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-07-byzantine-fault-injection-testing-protocols-like-an-attacker", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Byzantine Fault Injection: Testing Protocols Like an Attacker: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Engineer friction where attackers pay but legitimate users don’t (asymmetric controls).

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  edge[\"Edge (rate limits + WAF)\"] --> core[\"Core Services\"]\n  core --> data[\"Data Plane\"]\n  data --> control[\"Control Plane\"]\n  control --> edge\n  siem[\"Detection/Response\"] --> core\n  siem --> edge
\n

Implementation notes

\n

Prefer containment over heroics: isolate blast radius, keep core correct.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Degraded-mode table (example):\nOperation | Normal | Under attack | Rationale\nAuth      | full   | strict       | prevent abuse\nReads     | full   | cached/limited| protect core\nWrites    | full   | queued/limited| preserve integrity\nAdmin     | full   | JIT + MFA     | reduce blast radius
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-07-byzantine-fault-injection-testing-protocols-like-an-attacker", "title": "Byzantine Fault Injection: Testing Protocols Like an Attacker", "summary": "Adversarial-first deep dive (July 2024): Byzantine Fault Injection: Testing Protocols Like an Attacker.", "date_modified": "2024-07-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-06-consensus-under-attack-adaptive-adversaries-and-network-cont", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Consensus Under Attack: Adaptive Adversaries and Network Control: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Resilience is about containment:

\n
damageiblast_radius(i)withblast_radius(i) bounded by design.\\text{damage} \\le \\sum_i \\text{blast\\_radius}(i)\\quad\\text{with}\\quad \\text{blast\\_radius}(i)\\ \\text{bounded by design}.damageiblast_radius(i)withblast_radius(i) bounded by design.
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Define which operations fail closed vs fail open. Do it before an incident.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart LR\n  attack[\"Attack\"] --> detect[\"Detect\"]\n  detect --> contain[\"Contain\"]\n  contain --> recover[\"Recover\"]\n  recover --> learn[\"Learn/Regress\"]\n  learn --> detect
\n

Implementation notes

\n

Keep evidence pipelines alive: you can’t respond blind.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Degraded-mode table (example):\nOperation | Normal | Under attack | Rationale\nAuth      | full   | strict       | prevent abuse\nReads     | full   | cached/limited| protect core\nWrites    | full   | queued/limited| preserve integrity\nAdmin     | full   | JIT + MFA     | reduce blast radius
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-06-consensus-under-attack-adaptive-adversaries-and-network-cont", "title": "Consensus Under Attack: Adaptive Adversaries and Network Control", "summary": "Spec-driven research note (June 2024): Consensus Under Attack: Adaptive Adversaries and Network Control.", "date_modified": "2024-06-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-05-time-based-attacks-ntp-manipulation-expiration-and-replay", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Time-Based Attacks: NTP Manipulation, Expiration, and Replay: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Resilience is about containment:

\n
damageiblast_radius(i)withblast_radius(i) bounded by design.\\text{damage} \\le \\sum_i \\text{blast\\_radius}(i)\\quad\\text{with}\\quad \\text{blast\\_radius}(i)\\ \\text{bounded by design}.damageiblast_radius(i)withblast_radius(i) bounded by design.
\n

Define which operations fail closed vs fail open. Do it before an incident.

\n

Engineer friction where attackers pay but legitimate users don’t (asymmetric controls).

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  attack[\"Attack\"] --> detect[\"Detect\"]\n  detect --> contain[\"Contain\"]\n  contain --> recover[\"Recover\"]\n  recover --> learn[\"Learn/Regress\"]\n  learn --> detect
\n

Implementation notes

\n

Prefer containment over heroics: isolate blast radius, keep core correct.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Evidence checklist:\n- Immutable logs (append-only)\n- Signed audit events\n- Time sync monitoring\n- Dependency health snapshots\n- Config change history
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-05-time-based-attacks-ntp-manipulation-expiration-and-replay", "title": "Time-Based Attacks: NTP Manipulation, Expiration, and Replay", "summary": "Adversarial-first deep dive (May 2024): Time-Based Attacks: NTP Manipulation, Expiration, and Replay.", "date_modified": "2024-05-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-04-sandbox-escapes-isolation-boundaries-as-a-design-input", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Sandbox Escapes: Isolation Boundaries as a Design Input: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Define which operations fail closed vs fail open. Do it before an incident.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  edge[\"Edge (rate limits + WAF)\"] --> core[\"Core Services\"]\n  core --> data[\"Data Plane\"]\n  data --> control[\"Control Plane\"]\n  control --> edge\n  siem[\"Detection/Response\"] --> core\n  siem --> edge
\n

Implementation notes

\n

Keep evidence pipelines alive: you can’t respond blind.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Evidence checklist:\n- Immutable logs (append-only)\n- Signed audit events\n- Time sync monitoring\n- Dependency health snapshots\n- Config change history
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-04-sandbox-escapes-isolation-boundaries-as-a-design-input", "title": "Sandbox Escapes: Isolation Boundaries as a Design Input", "summary": "Spec-driven research note (April 2024): Sandbox Escapes: Isolation Boundaries as a Design Input.", "date_modified": "2024-04-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-03-supply-chain-attacks-dependency-poisoning-and-maintainer-com", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on Supply Chain Attacks: Dependency Poisoning and Maintainer Compromise: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Engineer friction where attackers pay but legitimate users don’t (asymmetric controls).

\n

Define which operations fail closed vs fail open. Do it before an incident.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart LR\n  attack[\"Attack\"] --> detect[\"Detect\"]\n  detect --> contain[\"Contain\"]\n  contain --> recover[\"Recover\"]\n  recover --> learn[\"Learn/Regress\"]\n  learn --> detect
\n

Implementation notes

\n

Prefer containment over heroics: isolate blast radius, keep core correct.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Degraded-mode table (example):\nOperation | Normal | Under attack | Rationale\nAuth      | full   | strict       | prevent abuse\nReads     | full   | cached/limited| protect core\nWrites    | full   | queued/limited| preserve integrity\nAdmin     | full   | JIT + MFA     | reduce blast radius
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-03-supply-chain-attacks-dependency-poisoning-and-maintainer-com", "title": "Supply Chain Attacks: Dependency Poisoning and Maintainer Compromise", "summary": "Adversarial-first deep dive (March 2024): Supply Chain Attacks: Dependency Poisoning and Maintainer Compromise.", "date_modified": "2024-03-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-02-ddos-at-scale-adaptive-defense-and-cost-asymmetry", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

A focused memo on DDoS at Scale: Adaptive Defense and Cost Asymmetry: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Engineer friction where attackers pay but legitimate users don’t (asymmetric controls).

\n

Treat observability as a dependency: protect it from overload and manipulation.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  edge[\"Edge (rate limits + WAF)\"] --> core[\"Core Services\"]\n  core --> data[\"Data Plane\"]\n  data --> control[\"Control Plane\"]\n  control --> edge\n  siem[\"Detection/Response\"] --> core\n  siem --> edge
\n

Implementation notes

\n

Prefer containment over heroics: isolate blast radius, keep core correct.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Evidence checklist:\n- Immutable logs (append-only)\n- Signed audit events\n- Time sync monitoring\n- Dependency health snapshots\n- Config change history
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-02-ddos-at-scale-adaptive-defense-and-cost-asymmetry", "title": "DDoS at Scale: Adaptive Defense and Cost Asymmetry", "summary": "Spec-driven research note (February 2024): DDoS at Scale: Adaptive Defense and Cost Asymmetry.", "date_modified": "2024-02-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2024-01-bgp-and-routing-attacks-engineering-for-the-internet-we-have", "content_html": "
\n

Monthly research note. Theme: Adversarial Infrastructure & Global Systems.

\n
\n

TL;DR

\n

BGP and Routing Attacks: Engineering for the Internet We Have as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Defense is about cost asymmetry. If the attacker spends 111 and you spend 100100100, you lose.

\n
CostdefenseCostattack (per unit of damage prevented).\\mathrm{Cost}_\\text{defense} \\ll \\mathrm{Cost}_\\text{attack}\\ \\text{(per unit of damage prevented)}.CostdefenseCostattack (per unit of damage prevented).
\n

Treat observability as a dependency: protect it from overload and manipulation.

\n

Define which operations fail closed vs fail open. Do it before an incident.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  attack[\"Attack\"] --> detect[\"Detect\"]\n  detect --> contain[\"Contain\"]\n  contain --> recover[\"Recover\"]\n  recover --> learn[\"Learn/Regress\"]\n  learn --> detect
\n

Implementation notes

\n

Keep evidence pipelines alive: you can’t respond blind.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Degraded-mode table (example):\nOperation | Normal | Under attack | Rationale\nAuth      | full   | strict       | prevent abuse\nReads     | full   | cached/limited| protect core\nWrites    | full   | queued/limited| preserve integrity\nAdmin     | full   | JIT + MFA     | reduce blast radius
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2024-01-bgp-and-routing-attacks-engineering-for-the-internet-we-have", "title": "BGP and Routing Attacks: Engineering for the Internet We Have", "summary": "Engineering notebook entry (January 2024): BGP and Routing Attacks: Engineering for the Internet We Have.", "date_modified": "2024-01-01T00:00:00.000Z", "tags": [ "research-notes", "security", "distributed-infrastructure", "threat-modeling", "resilience" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-12-compliance-standards-translating-nist-to-engineering-action", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

A focused memo on Compliance & Standards: Translating NIST to Engineering Action: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Hybrid composition should be transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Binding is the whole game: make the transcript an input to the KDF.

\n

Treat algorithm negotiation as adversarial: explicit downgrade resistance.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant A as Initiator\n  participant B as Responder\n  A->>B: classical_keyshare + pqc_pk\n  B-->>A: classical_keyshare + pqc_ct + sig\n  A-->>B: sig\n  Note over A,B: ss = HKDF(ss_classical || ss_pqc, transcript)
\n

Implementation notes

\n

Interop tests are the migration plan; everything else is a hypothesis.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
2.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-12-compliance-standards-translating-nist-to-engineering-action", "title": "Compliance & Standards: Translating NIST to Engineering Action", "summary": "Adversarial-first deep dive (December 2023): Compliance & Standards: Translating NIST to Engineering Action.", "date_modified": "2023-12-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-11-migration-risk-management-inventory-prioritization-and-cutov", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

Migration Risk Management: Inventory, Prioritization, and Cutover as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A KEM gives you shared secrets without discrete-log assumptions:

\n
(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).(\\mathrm{pk},\\mathrm{sk})\\leftarrow \\mathrm{KeyGen}();\\ \n(\\mathrm{ct},\\mathrm{ss})\\leftarrow \\mathrm{Enc}(\\mathrm{pk});\\ \n\\mathrm{ss}\\leftarrow \\mathrm{Dec}(\\mathrm{sk},\\mathrm{ct}).(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).
\n

Binding is the whole game: make the transcript an input to the KDF.

\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant A as Initiator\n  participant B as Responder\n  A->>B: classical_keyshare + pqc_pk\n  B-->>A: classical_keyshare + pqc_ct + sig\n  A-->>B: sig\n  Note over A,B: ss = HKDF(ss_classical || ss_pqc, transcript)
\n

Implementation notes

\n

Interop tests are the migration plan; everything else is a hypothesis.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-11-migration-risk-management-inventory-prioritization-and-cutov", "title": "Migration Risk Management: Inventory, Prioritization, and Cutover", "summary": "Correctness-focused deep dive (November 2023): Migration Risk Management: Inventory, Prioritization, and Cutover.", "date_modified": "2023-11-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-10-side-channels-in-pqc-implementations-where-theory-meets-cach", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

Side Channels in PQC Implementations: Where Theory Meets Cache as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A KEM gives you shared secrets without discrete-log assumptions:

\n
(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).(\\mathrm{pk},\\mathrm{sk})\\leftarrow \\mathrm{KeyGen}();\\ \n(\\mathrm{ct},\\mathrm{ss})\\leftarrow \\mathrm{Enc}(\\mathrm{pk});\\ \n\\mathrm{ss}\\leftarrow \\mathrm{Dec}(\\mathrm{sk},\\mathrm{ct}).(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).
\n

Treat algorithm negotiation as adversarial: explicit downgrade resistance.

\n

Binding is the whole game: make the transcript an input to the KDF.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  negotiate[\"Negotiate Algorithms\"] --> bind[\"Bind Transcript\"]\n  bind --> kdf[\"KDF (hybrid)\"]\n  kdf --> keys[\"Traffic Keys\"]\n  keys --> monitor[\"Monitor + Rollback\"]
\n

Implementation notes

\n

Explicit binding prevents downgrade and mix-and-match. Don’t leave it implicit.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-10-side-channels-in-pqc-implementations-where-theory-meets-cach", "title": "Side Channels in PQC Implementations: Where Theory Meets Cache", "summary": "Correctness-focused deep dive (October 2023): Side Channels in PQC Implementations: Where Theory Meets Cache.", "date_modified": "2023-10-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-09-benchmarking-pqc-what-to-measure-and-what-not-to", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

Benchmarking PQC: What to Measure (and What Not To) as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A KEM gives you shared secrets without discrete-log assumptions:

\n
(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).(\\mathrm{pk},\\mathrm{sk})\\leftarrow \\mathrm{KeyGen}();\\ \n(\\mathrm{ct},\\mathrm{ss})\\leftarrow \\mathrm{Enc}(\\mathrm{pk});\\ \n\\mathrm{ss}\\leftarrow \\mathrm{Dec}(\\mathrm{sk},\\mathrm{ct}).(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).
\n

Binding is the whole game: make the transcript an input to the KDF.

\n

Treat algorithm negotiation as adversarial: explicit downgrade resistance.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant A as Initiator\n  participant B as Responder\n  A->>B: classical_keyshare + pqc_pk\n  B-->>A: classical_keyshare + pqc_ct + sig\n  A-->>B: sig\n  Note over A,B: ss = HKDF(ss_classical || ss_pqc, transcript)
\n

Implementation notes

\n

Explicit binding prevents downgrade and mix-and-match. Don’t leave it implicit.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-09-benchmarking-pqc-what-to-measure-and-what-not-to", "title": "Benchmarking PQC: What to Measure (and What Not To)", "summary": "Threat-model-first analysis (September 2023): Benchmarking PQC: What to Measure (and What Not To).", "date_modified": "2023-09-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-08-crypto-agility-tooling-feature-flags-policy-and-rollback", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

A focused memo on Crypto Agility Tooling: Feature Flags, Policy, and Rollback: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A KEM gives you shared secrets without discrete-log assumptions:

\n
(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).(\\mathrm{pk},\\mathrm{sk})\\leftarrow \\mathrm{KeyGen}();\\ \n(\\mathrm{ct},\\mathrm{ss})\\leftarrow \\mathrm{Enc}(\\mathrm{pk});\\ \n\\mathrm{ss}\\leftarrow \\mathrm{Dec}(\\mathrm{sk},\\mathrm{ct}).(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).
\n

Binding is the whole game: make the transcript an input to the KDF.

\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  negotiate[\"Negotiate Algorithms\"] --> bind[\"Bind Transcript\"]\n  bind --> kdf[\"KDF (hybrid)\"]\n  kdf --> keys[\"Traffic Keys\"]\n  keys --> monitor[\"Monitor + Rollback\"]
\n

Implementation notes

\n

Explicit binding prevents downgrade and mix-and-match. Don’t leave it implicit.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-08-crypto-agility-tooling-feature-flags-policy-and-rollback", "title": "Crypto Agility Tooling: Feature Flags, Policy, and Rollback", "summary": "Design memo (August 2023): Crypto Agility Tooling: Feature Flags, Policy, and Rollback.", "date_modified": "2023-08-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-07-pqc-for-iot-memory-cpu-and-timing-side-channels", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

PQC for IoT: Memory, CPU, and Timing Side Channels as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Hybrid composition should be transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Binding is the whole game: make the transcript an input to the KDF.

\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  negotiate[\"Negotiate Algorithms\"] --> bind[\"Bind Transcript\"]\n  bind --> kdf[\"KDF (hybrid)\"]\n  kdf --> keys[\"Traffic Keys\"]\n  keys --> monitor[\"Monitor + Rollback\"]
\n

Implementation notes

\n

Interop tests are the migration plan; everything else is a hypothesis.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-07-pqc-for-iot-memory-cpu-and-timing-side-channels", "title": "PQC for IoT: Memory, CPU, and Timing Side Channels", "summary": "Engineering notebook entry (July 2023): PQC for IoT: Memory, CPU, and Timing Side Channels.", "date_modified": "2023-07-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-06-pqc-in-vpn-ipsec-ikev2-revisited-under-pq-constraints", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

PQC in VPN/IPsec: IKEv2 Revisited Under PQ Constraints as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Hybrid composition should be transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Treat algorithm negotiation as adversarial: explicit downgrade resistance.

\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  negotiate[\"Negotiate Algorithms\"] --> bind[\"Bind Transcript\"]\n  bind --> kdf[\"KDF (hybrid)\"]\n  kdf --> keys[\"Traffic Keys\"]\n  keys --> monitor[\"Monitor + Rollback\"]
\n

Implementation notes

\n

Explicit binding prevents downgrade and mix-and-match. Don’t leave it implicit.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
\n
2.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-06-pqc-in-vpn-ipsec-ikev2-revisited-under-pq-constraints", "title": "PQC in VPN/IPsec: IKEv2 Revisited Under PQ Constraints", "summary": "Threat-model-first analysis (June 2023): PQC in VPN/IPsec: IKEv2 Revisited Under PQ Constraints.", "date_modified": "2023-06-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-05-pqc-in-tls-negotiation-downgrade-and-interop", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

PQC in TLS: Negotiation, Downgrade, and Interop as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A KEM gives you shared secrets without discrete-log assumptions:

\n
(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).(\\mathrm{pk},\\mathrm{sk})\\leftarrow \\mathrm{KeyGen}();\\ \n(\\mathrm{ct},\\mathrm{ss})\\leftarrow \\mathrm{Enc}(\\mathrm{pk});\\ \n\\mathrm{ss}\\leftarrow \\mathrm{Dec}(\\mathrm{sk},\\mathrm{ct}).(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).
\n

Binding is the whole game: make the transcript an input to the KDF.

\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant A as Initiator\n  participant B as Responder\n  A->>B: classical_keyshare + pqc_pk\n  B-->>A: classical_keyshare + pqc_ct + sig\n  A-->>B: sig\n  Note over A,B: ss = HKDF(ss_classical || ss_pqc, transcript)
\n

Implementation notes

\n

Explicit binding prevents downgrade and mix-and-match. Don’t leave it implicit.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Hybrid handshake checklist:\n- Explicit negotiation (no silent downgrade)\n- Transcript-bound KDF\n- DoS protections (rate limits, cookies, puzzles)\n- Constant-time operations\n- Telemetry: which mode, which failures, which clients
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-05-pqc-in-tls-negotiation-downgrade-and-interop", "title": "PQC in TLS: Negotiation, Downgrade, and Interop", "summary": "Threat-model-first analysis (May 2023): PQC in TLS: Negotiation, Downgrade, and Interop.", "date_modified": "2023-05-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-04-hybrid-key-exchange-binding-classical-and-pq-secrets-correct", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

A focused memo on Hybrid Key Exchange: Binding Classical and PQ Secrets Correctly: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Hybrid composition should be transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Treat algorithm negotiation as adversarial: explicit downgrade resistance.

\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant A as Initiator\n  participant B as Responder\n  A->>B: classical_keyshare + pqc_pk\n  B-->>A: classical_keyshare + pqc_ct + sig\n  A-->>B: sig\n  Note over A,B: ss = HKDF(ss_classical || ss_pqc, transcript)
\n

Implementation notes

\n

Interop tests are the migration plan; everything else is a hypothesis.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-04-hybrid-key-exchange-binding-classical-and-pq-secrets-correct", "title": "Hybrid Key Exchange: Binding Classical and PQ Secrets Correctly", "summary": "Design memo (April 2023): Hybrid Key Exchange: Binding Classical and PQ Secrets Correctly.", "date_modified": "2023-04-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-03-signatures-in-practice-dilithium-falcon-and-deployment-const", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

A focused memo on Signatures in Practice: Dilithium/Falcon and Deployment Constraints: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A KEM gives you shared secrets without discrete-log assumptions:

\n
(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).(\\mathrm{pk},\\mathrm{sk})\\leftarrow \\mathrm{KeyGen}();\\ \n(\\mathrm{ct},\\mathrm{ss})\\leftarrow \\mathrm{Enc}(\\mathrm{pk});\\ \n\\mathrm{ss}\\leftarrow \\mathrm{Dec}(\\mathrm{sk},\\mathrm{ct}).(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).
\n

Treat algorithm negotiation as adversarial: explicit downgrade resistance.

\n

Binding is the whole game: make the transcript an input to the KDF.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  negotiate[\"Negotiate Algorithms\"] --> bind[\"Bind Transcript\"]\n  bind --> kdf[\"KDF (hybrid)\"]\n  kdf --> keys[\"Traffic Keys\"]\n  keys --> monitor[\"Monitor + Rollback\"]
\n

Implementation notes

\n

Interop tests are the migration plan; everything else is a hypothesis.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-03-signatures-in-practice-dilithium-falcon-and-deployment-const", "title": "Signatures in Practice: Dilithium/Falcon and Deployment Constraints", "summary": "Design memo (March 2023): Signatures in Practice: Dilithium/Falcon and Deployment Constraints.", "date_modified": "2023-03-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-02-kems-in-practice-kyber-handshakes-and-failure-surfaces", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

A focused memo on KEMs in Practice: Kyber Handshakes and Failure Surfaces: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Hybrid composition should be transcript-bound:

\n
ss=HKDF(ssclassical  sspqc, info=transcript).\\mathrm{ss} = \\mathrm{HKDF}(\\mathrm{ss}_\\text{classical}\\ \\Vert\\ \\mathrm{ss}_\\text{pqc},\\ \\text{info}=\\mathrm{transcript}).ss=HKDF(ssclassical  sspqc, info=transcript).
\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n

Binding is the whole game: make the transcript an input to the KDF.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant A as Initiator\n  participant B as Responder\n  A->>B: classical_keyshare + pqc_pk\n  B-->>A: classical_keyshare + pqc_ct + sig\n  A-->>B: sig\n  Note over A,B: ss = HKDF(ss_classical || ss_pqc, transcript)
\n

Implementation notes

\n

PQC migration is a systems program: protocol, performance, ops, and UX must compose.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Hybrid binding sketch (pseudocode):\n// ss = HKDF(ss_classical || ss_pqc, info=transcript_hash)\n// Then derive traffic keys from ss.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-02-kems-in-practice-kyber-handshakes-and-failure-surfaces", "title": "KEMs in Practice: Kyber Handshakes and Failure Surfaces", "summary": "Adversarial-first deep dive (February 2023): KEMs in Practice: Kyber Handshakes and Failure Surfaces.", "date_modified": "2023-02-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2023-01-pqc-threat-models-harvest-now-decrypt-later-in-real-systems", "content_html": "
\n

Monthly research note. Theme: Post-Quantum Cryptography & Migration.

\n
\n

TL;DR

\n

A focused memo on PQC Threat Models: 'Harvest Now, Decrypt Later' in Real Systems: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A KEM gives you shared secrets without discrete-log assumptions:

\n
(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).(\\mathrm{pk},\\mathrm{sk})\\leftarrow \\mathrm{KeyGen}();\\ \n(\\mathrm{ct},\\mathrm{ss})\\leftarrow \\mathrm{Enc}(\\mathrm{pk});\\ \n\\mathrm{ss}\\leftarrow \\mathrm{Dec}(\\mathrm{sk},\\mathrm{ct}).(pk,sk)KeyGen(); (ct,ss)Enc(pk); ssDec(sk,ct).
\n

Treat algorithm negotiation as adversarial: explicit downgrade resistance.

\n

Make costs explicit: measure CPU and bandwidth, then add protections.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant A as Initiator\n  participant B as Responder\n  A->>B: classical_keyshare + pqc_pk\n  B-->>A: classical_keyshare + pqc_ct + sig\n  A-->>B: sig\n  Note over A,B: ss = HKDF(ss_classical || ss_pqc, transcript)
\n

Implementation notes

\n

Explicit binding prevents downgrade and mix-and-match. Don’t leave it implicit.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Hybrid handshake checklist:\n- Explicit negotiation (no silent downgrade)\n- Transcript-bound KDF\n- DoS protections (rate limits, cookies, puzzles)\n- Constant-time operations\n- Telemetry: which mode, which failures, which clients
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
2.
National Institute of Standards and Technology (NIST). Post-Quantum Cryptography [Internet]. Web; Available from: https://csrc.nist.gov/projects/post-quantum-cryptography
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2023-01-pqc-threat-models-harvest-now-decrypt-later-in-real-systems", "title": "PQC Threat Models: 'Harvest Now, Decrypt Later' in Real Systems", "summary": "Design memo (January 2023): PQC Threat Models: 'Harvest Now, Decrypt Later' in Real Systems.", "date_modified": "2023-01-01T00:00:00.000Z", "tags": [ "research-notes", "post-quantum-cryptography", "cryptography", "security", "protocol-design" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-12-red-teaming-infrastructure-turning-attacks-into-regression-t", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

Red Teaming Infrastructure: Turning Attacks into Regression Tests as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Build provenance is a cryptographic statement:

\n
attestSignkbuild(hash(artifact)  metadata).\\mathrm{attest} \\leftarrow \\mathrm{Sign}_{k_\\text{build}}(\\mathrm{hash}(\\text{artifact})\\ \\Vert\\ \\text{metadata}).attestSignkbuild(hash(artifact)  metadata).
\n

Policy should be code with diffs and reviews—guardrails, not guidelines.

\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  src[\"Source\"] --> build[\"Build (reproducible)\"]\n  build --> attest[\"Attestation\"]\n  attest --> scan[\"SAST/DAST/SCA\"]\n  scan --> deploy[\"Deploy (policy gates)\"]\n  deploy --> runtime[\"Runtime Policy + Observability\"]
\n

Implementation notes

\n

The pipeline is production: it has credentials, network reach, and authority.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
CI hardening checklist:\n- No long-lived secrets in CI\n- OIDC to obtain short-lived creds\n- Pin dependencies and verify integrity\n- Reproducible builds + provenance attestation\n- Policy-as-code gates (deploy blocked on evidence)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-12-red-teaming-infrastructure-turning-attacks-into-regression-t", "title": "Red Teaming Infrastructure: Turning Attacks into Regression Tests", "summary": "Threat-model-first analysis (December 2022): Red Teaming Infrastructure: Turning Attacks into Regression Tests.", "date_modified": "2022-12-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-11-rust-go-secure-coding-patterns-the-bugs-that-still-happen", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

A focused memo on Rust/Go Secure Coding Patterns: The Bugs That Still Happen: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A policy gate is a predicate over metadata:

\n
allow(deploy)P(attestation, scan, env).\\mathrm{allow}(\\text{deploy}) \\Leftrightarrow P(\\text{attestation},\\ \\text{scan},\\ \\text{env}).allow(deploy)P(attestation, scan, env).
\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n

Policy should be code with diffs and reviews—guardrails, not guidelines.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart LR\n  src[\"Source\"] --> build[\"Build (reproducible)\"]\n  build --> attest[\"Attestation\"]\n  attest --> scan[\"SAST/DAST/SCA\"]\n  scan --> deploy[\"Deploy (policy gates)\"]\n  deploy --> runtime[\"Runtime Policy + Observability\"]
\n

Implementation notes

\n

The pipeline is production: it has credentials, network reach, and authority.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Treat CI as untrusted: keep tokens short-lived and scoped.\ntype Token struct {\n  Value string\n  ExpiresAtUnix int64\n  Scope string\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-11-rust-go-secure-coding-patterns-the-bugs-that-still-happen", "title": "Rust/Go Secure Coding Patterns: The Bugs That Still Happen", "summary": "Adversarial-first deep dive (November 2022): Rust/Go Secure Coding Patterns: The Bugs That Still Happen.", "date_modified": "2022-11-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-10-secure-configuration-policy-as-code-and-guardrails", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

A focused memo on Secure Configuration: Policy-as-Code and Guardrails: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A policy gate is a predicate over metadata:

\n
allow(deploy)P(attestation, scan, env).\\mathrm{allow}(\\text{deploy}) \\Leftrightarrow P(\\text{attestation},\\ \\text{scan},\\ \\text{env}).allow(deploy)P(attestation, scan, env).
\n

Policy should be code with diffs and reviews—guardrails, not guidelines.

\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  pr[\"PR\"] --> checks[\"Checks\"]\n  checks --> merge[\"Merge\"]\n  merge --> release[\"Release\"]\n  release --> canary[\"Canary\"]\n  canary --> prod[\"Prod\"]\n  prod --> rollback[\"Rollback Plan\"]
\n

Implementation notes

\n

Build systems that can prove what happened after an incident.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
CI hardening checklist:\n- No long-lived secrets in CI\n- OIDC to obtain short-lived creds\n- Pin dependencies and verify integrity\n- Reproducible builds + provenance attestation\n- Policy-as-code gates (deploy blocked on evidence)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-10-secure-configuration-policy-as-code-and-guardrails", "title": "Secure Configuration: Policy-as-Code and Guardrails", "summary": "Spec-driven research note (October 2022): Secure Configuration: Policy-as-Code and Guardrails.", "date_modified": "2022-10-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-09-backup-restore-as-a-protocol-rpo-rto-with-adversaries", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

A focused memo on Backup/Restore as a Protocol: RPO/RTO with Adversaries: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A policy gate is a predicate over metadata:

\n
allow(deploy)P(attestation, scan, env).\\mathrm{allow}(\\text{deploy}) \\Leftrightarrow P(\\text{attestation},\\ \\text{scan},\\ \\text{env}).allow(deploy)P(attestation, scan, env).
\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  pr[\"PR\"] --> checks[\"Checks\"]\n  checks --> merge[\"Merge\"]\n  merge --> release[\"Release\"]\n  release --> canary[\"Canary\"]\n  canary --> prod[\"Prod\"]\n  prod --> rollback[\"Rollback Plan\"]
\n

Implementation notes

\n

Prefer short-lived credentials (OIDC) and explicit policy gates.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
CI hardening checklist:\n- No long-lived secrets in CI\n- OIDC to obtain short-lived creds\n- Pin dependencies and verify integrity\n- Reproducible builds + provenance attestation\n- Policy-as-code gates (deploy blocked on evidence)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-09-backup-restore-as-a-protocol-rpo-rto-with-adversaries", "title": "Backup/Restore as a Protocol: RPO/RTO with Adversaries", "summary": "Adversarial-first deep dive (September 2022): Backup/Restore as a Protocol: RPO/RTO with Adversaries.", "date_modified": "2022-09-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-08-observability-at-scale-traces-cardinality-and-cost", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

A focused memo on Observability at Scale: Traces, Cardinality, and Cost: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Build provenance is a cryptographic statement:

\n
attestSignkbuild(hash(artifact)  metadata).\\mathrm{attest} \\leftarrow \\mathrm{Sign}_{k_\\text{build}}(\\mathrm{hash}(\\text{artifact})\\ \\Vert\\ \\text{metadata}).attestSignkbuild(hash(artifact)  metadata).
\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n

Policy should be code with diffs and reviews—guardrails, not guidelines.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart LR\n  src[\"Source\"] --> build[\"Build (reproducible)\"]\n  build --> attest[\"Attestation\"]\n  attest --> scan[\"SAST/DAST/SCA\"]\n  scan --> deploy[\"Deploy (policy gates)\"]\n  deploy --> runtime[\"Runtime Policy + Observability\"]
\n

Implementation notes

\n

Build systems that can prove what happened after an incident.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Treat CI as untrusted: keep tokens short-lived and scoped.\ntype Token struct {\n  Value string\n  ExpiresAtUnix int64\n  Scope string\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-08-observability-at-scale-traces-cardinality-and-cost", "title": "Observability at Scale: Traces, Cardinality, and Cost", "summary": "Spec-driven research note (August 2022): Observability at Scale: Traces, Cardinality, and Cost.", "date_modified": "2022-08-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-07-rate-limiting-load-shedding-protecting-reliability-slos", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

Rate Limiting & Load Shedding: Protecting Reliability SLOs as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A policy gate is a predicate over metadata:

\n
allow(deploy)P(attestation, scan, env).\\mathrm{allow}(\\text{deploy}) \\Leftrightarrow P(\\text{attestation},\\ \\text{scan},\\ \\text{env}).allow(deploy)P(attestation, scan, env).
\n

Policy should be code with diffs and reviews—guardrails, not guidelines.

\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart LR\n  src[\"Source\"] --> build[\"Build (reproducible)\"]\n  build --> attest[\"Attestation\"]\n  attest --> scan[\"SAST/DAST/SCA\"]\n  scan --> deploy[\"Deploy (policy gates)\"]\n  deploy --> runtime[\"Runtime Policy + Observability\"]
\n

Implementation notes

\n

Build systems that can prove what happened after an incident.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Treat CI as untrusted: keep tokens short-lived and scoped.\ntype Token struct {\n  Value string\n  ExpiresAtUnix int64\n  Scope string\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-07-rate-limiting-load-shedding-protecting-reliability-slos", "title": "Rate Limiting & Load Shedding: Protecting Reliability SLOs", "summary": "Engineering notebook entry (July 2022): Rate Limiting & Load Shedding: Protecting Reliability SLOs.", "date_modified": "2022-07-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-06-multi-region-design-failover-that-you-can-actually-test", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

Multi-Region Design: Failover That You Can Actually Test as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A policy gate is a predicate over metadata:

\n
allow(deploy)P(attestation, scan, env).\\mathrm{allow}(\\text{deploy}) \\Leftrightarrow P(\\text{attestation},\\ \\text{scan},\\ \\text{env}).allow(deploy)P(attestation, scan, env).
\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  pr[\"PR\"] --> checks[\"Checks\"]\n  checks --> merge[\"Merge\"]\n  merge --> release[\"Release\"]\n  release --> canary[\"Canary\"]\n  canary --> prod[\"Prod\"]\n  prod --> rollback[\"Rollback Plan\"]
\n

Implementation notes

\n

The pipeline is production: it has credentials, network reach, and authority.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
CI hardening checklist:\n- No long-lived secrets in CI\n- OIDC to obtain short-lived creds\n- Pin dependencies and verify integrity\n- Reproducible builds + provenance attestation\n- Policy-as-code gates (deploy blocked on evidence)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-06-multi-region-design-failover-that-you-can-actually-test", "title": "Multi-Region Design: Failover That You Can Actually Test", "summary": "Threat-model-first analysis (June 2022): Multi-Region Design: Failover That You Can Actually Test.", "date_modified": "2022-06-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-05-kubernetes-hardening-rbac-networkpolicy-and-pod-security", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

Kubernetes Hardening: RBAC, NetworkPolicy, and Pod Security as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Build provenance is a cryptographic statement:

\n
attestSignkbuild(hash(artifact)  metadata).\\mathrm{attest} \\leftarrow \\mathrm{Sign}_{k_\\text{build}}(\\mathrm{hash}(\\text{artifact})\\ \\Vert\\ \\text{metadata}).attestSignkbuild(hash(artifact)  metadata).
\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n

Policy should be code with diffs and reviews—guardrails, not guidelines.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  pr[\"PR\"] --> checks[\"Checks\"]\n  checks --> merge[\"Merge\"]\n  merge --> release[\"Release\"]\n  release --> canary[\"Canary\"]\n  canary --> prod[\"Prod\"]\n  prod --> rollback[\"Rollback Plan\"]
\n

Implementation notes

\n

Build systems that can prove what happened after an incident.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
CI hardening checklist:\n- No long-lived secrets in CI\n- OIDC to obtain short-lived creds\n- Pin dependencies and verify integrity\n- Reproducible builds + provenance attestation\n- Policy-as-code gates (deploy blocked on evidence)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-05-kubernetes-hardening-rbac-networkpolicy-and-pod-security", "title": "Kubernetes Hardening: RBAC, NetworkPolicy, and Pod Security", "summary": "Threat-model-first analysis (May 2022): Kubernetes Hardening: RBAC, NetworkPolicy, and Pod Security.", "date_modified": "2022-05-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-04-runtime-security-ebpf-policy-and-drift-detection", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

A focused memo on Runtime Security: eBPF, Policy, and Drift Detection: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Build provenance is a cryptographic statement:

\n
attestSignkbuild(hash(artifact)  metadata).\\mathrm{attest} \\leftarrow \\mathrm{Sign}_{k_\\text{build}}(\\mathrm{hash}(\\text{artifact})\\ \\Vert\\ \\text{metadata}).attestSignkbuild(hash(artifact)  metadata).
\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart LR\n  src[\"Source\"] --> build[\"Build (reproducible)\"]\n  build --> attest[\"Attestation\"]\n  attest --> scan[\"SAST/DAST/SCA\"]\n  scan --> deploy[\"Deploy (policy gates)\"]\n  deploy --> runtime[\"Runtime Policy + Observability\"]
\n

Implementation notes

\n

The pipeline is production: it has credentials, network reach, and authority.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
CI hardening checklist:\n- No long-lived secrets in CI\n- OIDC to obtain short-lived creds\n- Pin dependencies and verify integrity\n- Reproducible builds + provenance attestation\n- Policy-as-code gates (deploy blocked on evidence)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-04-runtime-security-ebpf-policy-and-drift-detection", "title": "Runtime Security: eBPF, Policy, and Drift Detection", "summary": "Adversarial-first deep dive (April 2022): Runtime Security: eBPF, Policy, and Drift Detection.", "date_modified": "2022-04-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-03-secrets-hygiene-rotation-scoping-and-runtime-delivery", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

A focused memo on Secrets Hygiene: Rotation, Scoping, and Runtime Delivery: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A policy gate is a predicate over metadata:

\n
allow(deploy)P(attestation, scan, env).\\mathrm{allow}(\\text{deploy}) \\Leftrightarrow P(\\text{attestation},\\ \\text{scan},\\ \\text{env}).allow(deploy)P(attestation, scan, env).
\n

Policy should be code with diffs and reviews—guardrails, not guidelines.

\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  pr[\"PR\"] --> checks[\"Checks\"]\n  checks --> merge[\"Merge\"]\n  merge --> release[\"Release\"]\n  release --> canary[\"Canary\"]\n  canary --> prod[\"Prod\"]\n  prod --> rollback[\"Rollback Plan\"]
\n

Implementation notes

\n

The pipeline is production: it has credentials, network reach, and authority.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
CI hardening checklist:\n- No long-lived secrets in CI\n- OIDC to obtain short-lived creds\n- Pin dependencies and verify integrity\n- Reproducible builds + provenance attestation\n- Policy-as-code gates (deploy blocked on evidence)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-03-secrets-hygiene-rotation-scoping-and-runtime-delivery", "title": "Secrets Hygiene: Rotation, Scoping, and Runtime Delivery", "summary": "Adversarial-first deep dive (March 2022): Secrets Hygiene: Rotation, Scoping, and Runtime Delivery.", "date_modified": "2022-03-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-02-reproducible-ci-cd-determinism-as-defense", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

Reproducible CI/CD: Determinism as Defense as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Build provenance is a cryptographic statement:

\n
attestSignkbuild(hash(artifact)  metadata).\\mathrm{attest} \\leftarrow \\mathrm{Sign}_{k_\\text{build}}(\\mathrm{hash}(\\text{artifact})\\ \\Vert\\ \\text{metadata}).attestSignkbuild(hash(artifact)  metadata).
\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart LR\n  src[\"Source\"] --> build[\"Build (reproducible)\"]\n  build --> attest[\"Attestation\"]\n  attest --> scan[\"SAST/DAST/SCA\"]\n  scan --> deploy[\"Deploy (policy gates)\"]\n  deploy --> runtime[\"Runtime Policy + Observability\"]
\n

Implementation notes

\n

The pipeline is production: it has credentials, network reach, and authority.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Treat CI as untrusted: keep tokens short-lived and scoped.\ntype Token struct {\n  Value string\n  ExpiresAtUnix int64\n  Scope string\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-02-reproducible-ci-cd-determinism-as-defense", "title": "Reproducible CI/CD: Determinism as Defense", "summary": "Engineering notebook entry (February 2022): Reproducible CI/CD: Determinism as Defense.", "date_modified": "2022-02-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2022-01-supply-chain-security-slsa-sbom-and-build-provenance", "content_html": "
\n

Monthly research note. Theme: DevSecOps & Resilience Engineering.

\n
\n

TL;DR

\n

A focused memo on Supply Chain Security: SLSA, SBOM, and Build Provenance: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Build provenance is a cryptographic statement:

\n
attestSignkbuild(hash(artifact)  metadata).\\mathrm{attest} \\leftarrow \\mathrm{Sign}_{k_\\text{build}}(\\mathrm{hash}(\\text{artifact})\\ \\Vert\\ \\text{metadata}).attestSignkbuild(hash(artifact)  metadata).
\n

Treat CI as attacker-controlled until proven otherwise; minimize secrets and privileges.

\n

Make provenance verifiable: “what built this” must be cryptographically bound.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  src[\"Source\"] --> build[\"Build (reproducible)\"]\n  build --> attest[\"Attestation\"]\n  attest --> scan[\"SAST/DAST/SCA\"]\n  scan --> deploy[\"Deploy (policy gates)\"]\n  deploy --> runtime[\"Runtime Policy + Observability\"]
\n

Implementation notes

\n

Prefer short-lived credentials (OIDC) and explicit policy gates.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Treat CI as untrusted: keep tokens short-lived and scoped.\ntype Token struct {\n  Value string\n  ExpiresAtUnix int64\n  Scope string\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2022-01-supply-chain-security-slsa-sbom-and-build-provenance", "title": "Supply Chain Security: SLSA, SBOM, and Build Provenance", "summary": "Spec-driven research note (January 2022): Supply Chain Security: SLSA, SBOM, and Build Provenance.", "date_modified": "2022-01-01T00:00:00.000Z", "tags": [ "research-notes", "DevSecOps", "security", "resilience", "security-critical-infrastructure" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-12-post-quantum-readiness-at-the-edge-constraints-and-migration", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

Post-Quantum Readiness at the Edge: Constraints and Migration as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Fleet rollout safety is a monotone constraint:

\n
rollout(vk+1)can_rollback(vk)  telemetry_healthy.\\text{rollout}(v_{k+1}) \\Rightarrow \\text{can\\_rollback}(v_k)\\ \\wedge\\ \\text{telemetry\\_healthy}.rollout(vk+1)can_rollback(vk)  telemetry_healthy.
\n

Treat device identity as a lifecycle: provision → attest → rotate → revoke → forensics.

\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  dev[\"Device (identity + attestation)\"] --> gw[\"Gateway\"]\n  gw --> bus[\"Message Bus\"]\n  bus --> ingest[\"Ingestion\"]\n  ingest --> tsdb[\"Time-Series Store\"]\n  tsdb --> apps[\"Analytics / Control Plane\"]
\n

Implementation notes

\n

Edge security is about recovery: safe defaults, staged updates, and fast revocation.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-12-post-quantum-readiness-at-the-edge-constraints-and-migration", "title": "Post-Quantum Readiness at the Edge: Constraints and Migration", "summary": "Engineering notebook entry (December 2021): Post-Quantum Readiness at the Edge: Constraints and Migration.", "date_modified": "2021-12-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-11-anomaly-detection-what-baseline-means-in-industrial-systems", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

Anomaly Detection: What 'Baseline' Means in Industrial Systems as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Fleet rollout safety is a monotone constraint:

\n
rollout(vk+1)can_rollback(vk)  telemetry_healthy.\\text{rollout}(v_{k+1}) \\Rightarrow \\text{can\\_rollback}(v_k)\\ \\wedge\\ \\text{telemetry\\_healthy}.rollout(vk+1)can_rollback(vk)  telemetry_healthy.
\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n

Treat device identity as a lifecycle: provision → attest → rotate → revoke → forensics.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  dev[\"Device (identity + attestation)\"] --> gw[\"Gateway\"]\n  gw --> bus[\"Message Bus\"]\n  bus --> ingest[\"Ingestion\"]\n  ingest --> tsdb[\"Time-Series Store\"]\n  tsdb --> apps[\"Analytics / Control Plane\"]
\n

Implementation notes

\n

Treat the gateway as a security boundary, not a dumb proxy.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-11-anomaly-detection-what-baseline-means-in-industrial-systems", "title": "Anomaly Detection: What 'Baseline' Means in Industrial Systems", "summary": "Threat-model-first analysis (November 2021): Anomaly Detection: What 'Baseline' Means in Industrial Systems.", "date_modified": "2021-11-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-10-secure-remote-access-bastions-just-in-time-and-audit", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

A focused memo on Secure Remote Access: Bastions, Just-in-Time, and Audit: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Fleet rollout safety is a monotone constraint:

\n
rollout(vk+1)can_rollback(vk)  telemetry_healthy.\\text{rollout}(v_{k+1}) \\Rightarrow \\text{can\\_rollback}(v_k)\\ \\wedge\\ \\text{telemetry\\_healthy}.rollout(vk+1)can_rollback(vk)  telemetry_healthy.
\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  dev[\"Device (identity + attestation)\"] --> gw[\"Gateway\"]\n  gw --> bus[\"Message Bus\"]\n  bus --> ingest[\"Ingestion\"]\n  ingest --> tsdb[\"Time-Series Store\"]\n  tsdb --> apps[\"Analytics / Control Plane\"]
\n

Implementation notes

\n

Treat the gateway as a security boundary, not a dumb proxy.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-10-secure-remote-access-bastions-just-in-time-and-audit", "title": "Secure Remote Access: Bastions, Just-in-Time, and Audit", "summary": "Spec-driven research note (October 2021): Secure Remote Access: Bastions, Just-in-Time, and Audit.", "date_modified": "2021-10-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-09-offline-first-edge-consistency-during-intermittent-connectiv", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

A focused memo on Offline-First Edge: Consistency During Intermittent Connectivity: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Fleet rollout safety is a monotone constraint:

\n
rollout(vk+1)can_rollback(vk)  telemetry_healthy.\\text{rollout}(v_{k+1}) \\Rightarrow \\text{can\\_rollback}(v_k)\\ \\wedge\\ \\text{telemetry\\_healthy}.rollout(vk+1)can_rollback(vk)  telemetry_healthy.
\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  dev[\"Device (identity + attestation)\"] --> gw[\"Gateway\"]\n  gw --> bus[\"Message Bus\"]\n  bus --> ingest[\"Ingestion\"]\n  ingest --> tsdb[\"Time-Series Store\"]\n  tsdb --> apps[\"Analytics / Control Plane\"]
\n

Implementation notes

\n

Prefer protocols that degrade safely under packet loss and skew.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-09-offline-first-edge-consistency-during-intermittent-connectiv", "title": "Offline-First Edge: Consistency During Intermittent Connectivity", "summary": "Spec-driven research note (September 2021): Offline-First Edge: Consistency During Intermittent Connectivity.", "date_modified": "2021-09-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-08-safety-critical-vs-security-critical-integrating-two-worlds", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

Safety-Critical vs Security-Critical: Integrating Two Worlds as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

At the edge, identity and freshness are everything. A typical anti-replay constraint:

\n
accept(m)nonce(m)Seen  ts(m)[tΔ,t+Δ].\\text{accept}(m)\\Rightarrow \\mathrm{nonce}(m)\\notin \\mathrm{Seen}\\ \\wedge\\ \\mathrm{ts}(m)\\in [t-\\Delta,t+\\Delta].accept(m)nonce(m)/Seen  ts(m)[tΔ,t+Δ].
\n

Treat device identity as a lifecycle: provision → attest → rotate → revoke → forensics.

\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant D as Device\n  participant G as Gateway\n  participant C as Cloud\n  D->>G: telemetry(nonce, ctr, sig)\n  G->>C: forward + policy tags\n  C-->>G: update policy\n  G-->>D: commands (bounded)
\n

Implementation notes

\n

Edge security is about recovery: safe defaults, staged updates, and fast revocation.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-08-safety-critical-vs-security-critical-integrating-two-worlds", "title": "Safety-Critical vs Security-Critical: Integrating Two Worlds", "summary": "Correctness-focused deep dive (August 2021): Safety-Critical vs Security-Critical: Integrating Two Worlds.", "date_modified": "2021-08-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-07-gateway-architecture-protocol-translation-without-becoming-a", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

A focused memo on Gateway Architecture: Protocol Translation Without Becoming a Bottleneck: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

At the edge, identity and freshness are everything. A typical anti-replay constraint:

\n
accept(m)nonce(m)Seen  ts(m)[tΔ,t+Δ].\\text{accept}(m)\\Rightarrow \\mathrm{nonce}(m)\\notin \\mathrm{Seen}\\ \\wedge\\ \\mathrm{ts}(m)\\in [t-\\Delta,t+\\Delta].accept(m)nonce(m)/Seen  ts(m)[tΔ,t+Δ].
\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant D as Device\n  participant G as Gateway\n  participant C as Cloud\n  D->>G: telemetry(nonce, ctr, sig)\n  G->>C: forward + policy tags\n  C-->>G: update policy\n  G-->>D: commands (bounded)
\n

Implementation notes

\n

Treat the gateway as a security boundary, not a dumb proxy.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-07-gateway-architecture-protocol-translation-without-becoming-a", "title": "Gateway Architecture: Protocol Translation Without Becoming a Bottleneck", "summary": "Spec-driven research note (July 2021): Gateway Architecture: Protocol Translation Without Becoming a Bottleneck.", "date_modified": "2021-07-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-06-time-series-at-scale-ingestion-downsampling-and-query-isolat", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

A focused memo on Time-Series at Scale: Ingestion, Downsampling, and Query Isolation: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

At the edge, identity and freshness are everything. A typical anti-replay constraint:

\n
accept(m)nonce(m)Seen  ts(m)[tΔ,t+Δ].\\text{accept}(m)\\Rightarrow \\mathrm{nonce}(m)\\notin \\mathrm{Seen}\\ \\wedge\\ \\mathrm{ts}(m)\\in [t-\\Delta,t+\\Delta].accept(m)nonce(m)/Seen  ts(m)[tΔ,t+Δ].
\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n

Treat device identity as a lifecycle: provision → attest → rotate → revoke → forensics.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  dev[\"Device (identity + attestation)\"] --> gw[\"Gateway\"]\n  gw --> bus[\"Message Bus\"]\n  bus --> ingest[\"Ingestion\"]\n  ingest --> tsdb[\"Time-Series Store\"]\n  tsdb --> apps[\"Analytics / Control Plane\"]
\n

Implementation notes

\n

Prefer protocols that degrade safely under packet loss and skew.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-06-time-series-at-scale-ingestion-downsampling-and-query-isolat", "title": "Time-Series at Scale: Ingestion, Downsampling, and Query Isolation", "summary": "Design memo (June 2021): Time-Series at Scale: Ingestion, Downsampling, and Query Isolation.", "date_modified": "2021-06-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-05-zero-trust-for-iiot-network-segmentation-and-policy-enforcem", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

Zero Trust for IIoT: Network Segmentation and Policy Enforcement as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

At the edge, identity and freshness are everything. A typical anti-replay constraint:

\n
accept(m)nonce(m)Seen  ts(m)[tΔ,t+Δ].\\text{accept}(m)\\Rightarrow \\mathrm{nonce}(m)\\notin \\mathrm{Seen}\\ \\wedge\\ \\mathrm{ts}(m)\\in [t-\\Delta,t+\\Delta].accept(m)nonce(m)/Seen  ts(m)[tΔ,t+Δ].
\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n

Treat device identity as a lifecycle: provision → attest → rotate → revoke → forensics.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant D as Device\n  participant G as Gateway\n  participant C as Cloud\n  D->>G: telemetry(nonce, ctr, sig)\n  G->>C: forward + policy tags\n  C-->>G: update policy\n  G-->>D: commands (bounded)
\n

Implementation notes

\n

Prefer protocols that degrade safely under packet loss and skew.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Anti-replay sketch: monotonic counter + bounded window.\ntype Counter uint64\ntype SeenStore interface {\n  MaxCounter(deviceID string) (Counter, error)\n  UpdateMax(deviceID string, c Counter) error\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-05-zero-trust-for-iiot-network-segmentation-and-policy-enforcem", "title": "Zero Trust for IIoT: Network Segmentation and Policy Enforcement", "summary": "Correctness-focused deep dive (May 2021): Zero Trust for IIoT: Network Segmentation and Policy Enforcement.", "date_modified": "2021-05-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-04-firmware-update-pipelines-rollouts-canary-and-recovery", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

Firmware Update Pipelines: Rollouts, Canary, and Recovery as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

At the edge, identity and freshness are everything. A typical anti-replay constraint:

\n
accept(m)nonce(m)Seen  ts(m)[tΔ,t+Δ].\\text{accept}(m)\\Rightarrow \\mathrm{nonce}(m)\\notin \\mathrm{Seen}\\ \\wedge\\ \\mathrm{ts}(m)\\in [t-\\Delta,t+\\Delta].accept(m)nonce(m)/Seen  ts(m)[tΔ,t+Δ].
\n

Treat device identity as a lifecycle: provision → attest → rotate → revoke → forensics.

\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant D as Device\n  participant G as Gateway\n  participant C as Cloud\n  D->>G: telemetry(nonce, ctr, sig)\n  G->>C: forward + policy tags\n  C-->>G: update policy\n  G-->>D: commands (bounded)
\n

Implementation notes

\n

Treat the gateway as a security boundary, not a dumb proxy.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Anti-replay sketch: monotonic counter + bounded window.\ntype Counter uint64\ntype SeenStore interface {\n  MaxCounter(deviceID string) (Counter, error)\n  UpdateMax(deviceID string, c Counter) error\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-04-firmware-update-pipelines-rollouts-canary-and-recovery", "title": "Firmware Update Pipelines: Rollouts, Canary, and Recovery", "summary": "Threat-model-first analysis (April 2021): Firmware Update Pipelines: Rollouts, Canary, and Recovery.", "date_modified": "2021-04-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-03-edge-to-cloud-messaging-mqtt-opc-ua-and-threat-models", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

Edge-to-Cloud Messaging: MQTT, OPC UA, and Threat Models as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

At the edge, identity and freshness are everything. A typical anti-replay constraint:

\n
accept(m)nonce(m)Seen  ts(m)[tΔ,t+Δ].\\text{accept}(m)\\Rightarrow \\mathrm{nonce}(m)\\notin \\mathrm{Seen}\\ \\wedge\\ \\mathrm{ts}(m)\\in [t-\\Delta,t+\\Delta].accept(m)nonce(m)/Seen  ts(m)[tΔ,t+Δ].
\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant D as Device\n  participant G as Gateway\n  participant C as Cloud\n  D->>G: telemetry(nonce, ctr, sig)\n  G->>C: forward + policy tags\n  C-->>G: update policy\n  G-->>D: commands (bounded)
\n

Implementation notes

\n

Prefer protocols that degrade safely under packet loss and skew.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-03-edge-to-cloud-messaging-mqtt-opc-ua-and-threat-models", "title": "Edge-to-Cloud Messaging: MQTT, OPC UA, and Threat Models", "summary": "Engineering notebook entry (March 2021): Edge-to-Cloud Messaging: MQTT, OPC UA, and Threat Models.", "date_modified": "2021-03-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-02-secure-telemetry-integrity-nonce-discipline-and-replay-prote", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

Secure Telemetry: Integrity, Nonce Discipline, and Replay Protection as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Fleet rollout safety is a monotone constraint:

\n
rollout(vk+1)can_rollback(vk)  telemetry_healthy.\\text{rollout}(v_{k+1}) \\Rightarrow \\text{can\\_rollback}(v_k)\\ \\wedge\\ \\text{telemetry\\_healthy}.rollout(vk+1)can_rollback(vk)  telemetry_healthy.
\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant D as Device\n  participant G as Gateway\n  participant C as Cloud\n  D->>G: telemetry(nonce, ctr, sig)\n  G->>C: forward + policy tags\n  C-->>G: update policy\n  G-->>D: commands (bounded)
\n

Implementation notes

\n

Edge security is about recovery: safe defaults, staged updates, and fast revocation.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-02-secure-telemetry-integrity-nonce-discipline-and-replay-prote", "title": "Secure Telemetry: Integrity, Nonce Discipline, and Replay Protection", "summary": "Correctness-focused deep dive (February 2021): Secure Telemetry: Integrity, Nonce Discipline, and Replay Protection.", "date_modified": "2021-02-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2021-01-device-identity-provisioning-attestation-and-lifecycle", "content_html": "
\n

Monthly research note. Theme: IIoT Platforms & Edge Security.

\n
\n

TL;DR

\n

A focused memo on Device Identity: Provisioning, Attestation, and Lifecycle: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

At the edge, identity and freshness are everything. A typical anti-replay constraint:

\n
accept(m)nonce(m)Seen  ts(m)[tΔ,t+Δ].\\text{accept}(m)\\Rightarrow \\mathrm{nonce}(m)\\notin \\mathrm{Seen}\\ \\wedge\\ \\mathrm{ts}(m)\\in [t-\\Delta,t+\\Delta].accept(m)nonce(m)/Seen  ts(m)[tΔ,t+Δ].
\n

Use monotonic counters when time is untrusted; combine with nonces and bounded windows.

\n

Define safe modes explicitly: what do devices do when policy can’t be fetched?

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  dev[\"Device (identity + attestation)\"] --> gw[\"Gateway\"]\n  gw --> bus[\"Message Bus\"]\n  bus --> ingest[\"Ingestion\"]\n  ingest --> tsdb[\"Time-Series Store\"]\n  tsdb --> apps[\"Analytics / Control Plane\"]
\n

Implementation notes

\n

Prefer protocols that degrade safely under packet loss and skew.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Firmware update safety checklist:\n- Signed manifest with version + hash\n- Rollback protection (anti-downgrade)\n- A/B partitions or staged apply\n- Health check + watchdog\n- Telemetry proves rollout state
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2021-01-device-identity-provisioning-attestation-and-lifecycle", "title": "Device Identity: Provisioning, Attestation, and Lifecycle", "summary": "Design memo (January 2021): Device Identity: Provisioning, Attestation, and Lifecycle.", "date_modified": "2021-01-01T00:00:00.000Z", "tags": [ "research-notes", "IIoT", "security-critical-infrastructure", "distributed-systems", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-12-spec-driven-development-making-the-spec-the-center-of-gravit", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

A focused memo on Spec-Driven Development: Making the Spec the Center of Gravity: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

In temporal logic terms, the common shape is:

\n
SafetyInvLivenessProgress.\\mathrm{Safety} \\equiv \\Box\\,\\mathrm{Inv}\\qquad\\qquad\n\\mathrm{Liveness} \\equiv \\Box\\Diamond\\,\\mathrm{Progress}.SafetyInvLiveness□◊Progress.
\n

Write properties in plain language next to the formal version.

\n

Keep the model small enough to run in seconds; large models rot.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  props[\"Properties\"] --> inv[\"Invariants\"]\n  inv --> model[\"Model\"]\n  model --> cex[\"Counterexamples\"]\n  cex --> tests[\"Regression Tests\"]\n  tests --> model
\n

Implementation notes

\n

Keep refinement boundaries explicit: what the spec promises vs what code enforces.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Workflow:\n1) Write a model with a few state variables.\n2) State invariants (safety) and progress conditions (liveness).\n3) Run model checker with tight bounds.\n4) Minimize counterexamples into test cases.\n5) Iterate until failures are boring.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-12-spec-driven-development-making-the-spec-the-center-of-gravit", "title": "Spec-Driven Development: Making the Spec the Center of Gravity", "summary": "Design memo (December 2020): Spec-Driven Development: Making the Spec the Center of Gravity.", "date_modified": "2020-12-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/boosting-quantum-computer-hardware", "content_html": "

Google recently announced the release of TensorFlow Quantum - a toolset for combining state-of-the-art machine learning techniques with quantum algorithm design. This was an important step to build tools for developers working on quantum applications - users operating primarily at the “top of the stack”.

\n

In parallel we’ve been building a complementary TensorFlow-based toolset working from the hardware level up - from the bottom of the stack. Our efforts have focused on improving the performance of quantum computing hardware through the integration of a set of techniques we call quantum firmware.

\n

In this article we’ll provide an overview of the fundamental driver for this work - combating noise and error in quantum computers - and describe how the team at Q-CTRL uses TensorFlow to efficiently characterize and suppress the impact of noise and imperfections in quantum hardware. These are key challenges in the global effort to make quantum computers useful.

\n

The Achilles heel of quantum computers - noise and error\nQuantum computing, simply put, is a new way to process information using the laws of quantum physics - the rules that govern nature on tiny size scales. Through decades of effort in science and engineering we’re now ready to put this physics to work solving problems that are exceptionally difficult for regular computers.

\n

Realizing useful computations on today’s systems requires a recognition that performance is predominantly limited by hardware imperfections and failures, not system size. Susceptibility to noise and error remains the Achilles heel of quantum computers, and ultimately limits the range and utility of algorithms run on quantum computing hardware.

\n

As a broad community average, most quantum computer hardware can run just a few dozen calculations over a time much less than one millisecond before requiring a reset due to the influence of noise. Depending on the specifics that’s about 1024 times worse than the hardware in a laptop!

\n

This is the heart of why quantum computing is really hard. In this context, “noise” describes all of the things that cause interference in a quantum computer. Just like a mobile phone call can suffer interference leading it to break up, a quantum computer is susceptible to interference from all sorts of sources, like electromagnetic signals coming from WiFi or disturbances in the Earth’s magnetic field.

\n

When qubits in a quantum computer are exposed to this kind of noise, the information in them gets degraded just the way sound quality is degraded by interference on a call. In a quantum system this process is known as decoherence. Decoherence causes the information encoded in a quantum computer to become randomized - and this leads to errors when we execute an algorithm. The greater the influence of noise, the shorter the algorithm that can be run.

\n

So what do we do about this? To start, for the past two decades teams have been working to make their hardware more passively stable - shielding it from the noise that causes decoherence. At the same time theorists have designed a clever algorithm called Quantum Error Correction that can identify and fix errors in the hardware, based in large part on classical error correction codes. This is essential in principle, but the downside is that to make it work you have to spread the information in one qubit over lots of qubits; it may take 1000 or more physical qubits to realize just one error-corrected “logical qubit”. Today’s machines are nowhere near capable of getting benefits from this kind of Quantum Error Correction.

\n

Q-CTRL adds something extra - quantum firmware - which can stabilize the qubits against noise and decoherence without the need for extra resources. It does this by adding new solutions at the lowest layer of the quantum computing stack that improve the hardware’s robustness to error.

\n

Building quantum firmware with TensorFlow

\n

Quantum firmware describes a set of protocols whose purpose is to deliver quantum hardware with augmented performance to higher levels of abstraction in the quantum computing stack. The choice of the term firmware reflects the fact that the relevant routines are usually software-defined but embedded proximal to the physical layer and effectively invisible to higher layers of abstraction.

\n

Quantum computing hardware generally relies on a form of precisely engineered light-matter interaction in order to enact quantum logic operations. These operations in a sense constitute the native machine language for a quantum computer; a timed pulse of microwaves on resonance with a superconducting qubit can translate to an effective bit-flip operation while another pulse may implement a conditional logic operation between a pair of qubits. An appropriate composition of these electromagnetic signals then implements the target quantum algorithm.

\n

Quantum firmware determines how the physical hardware should be manipulated, redefining the hardware machine language in a way that improves stability against decoherence. Key to this process is the calculation of noise-robust operations using information gleaned from the hardware itself.

\n

Building in TensorFlow was essential to moving beyond “home-built’’ code to commercial-grade products for Q-CTRL. Underpinning these techniques (formally coming from the field of quantum control) are tools allowing us to perform complex gradient-based optimizations. We express all optimization problems as data flow graphs, which describe how optimization variables (variables that can be tuned by the optimizer) are transformed into the cost function (the objective that the optimizer attempts to minimize). We combine custom convenience functions with access to TensorFlow primitives in order to efficiently perform optimizations as used in many different parts of our workflow. And critically, we exploit TensorFlow’s efficient gradient calculation tools to address what is often the weakest link in home-built implementations, especially as the analytic form of the relevant function is often nonlinear and contains many complex dependencies.

\n

For example, consider the case of defining a numerically optimized error-robust quantum bit flip used to manipulate a qubit - the analog of a classical NOT gate. As mentioned above, in a superconducting qubit this is achieved using a pulse of microwaves. We have the freedom to “shape” various aspects of the envelope of the pulse in order to enact the same mathematical transformation in a way that exhibits robustness against common noise sources, such as fluctuations in the strength or frequency of the microwaves.

\n

To do this we first define the data flow graph used to optimize the manipulation of this qubit - it includes objects that describe available “knobs” to adjust, the sources of noise, and the target operation .

\n

Once the graph has been defined inside our context manager, an object must be created that ties together the objective function (in this case minimizing the resultant gate error) and the desired outputs defining the shape of the microwave pulse. With the graph object created, an optimization can be run using a service that returns a new graph object containing the results of the optimization.

\n

This structure allows us to simply create helper functions which enable physically motivated constraints to be built directly into the graph. For instance, these might be symmetry requirements, limits on how a signal changes in time, or even incorporation of characteristics of the electronics systems used to generate the microwave pulses. Any other capabilities not directly covered by this library of helper functions can also be directly coded as TensorFlow primitives.

\n

With this approach we achieve an extremely flexible and high-performance optimization engine; our direct benchmarking has revealed order-of-magnitude benefits in time to solution relative to the best available alternative architectures.

\n

The capabilities enabled by this toolkit span the space of tasks required to stabilize quantum computing hardware and reduce errors at the lowest layer of the quantum computing stack. And importantly they’re experimentally verified on real quantum computing hardware; quantum firmware has been shown to reduce the likelihood of errors, mitigate system performance variations across devices, stabilize hardware against slowly drifting out of calibration, and even make quantum logic operations more compatible with higher level abstractions in quantum computing such as quantum error correction. All of these capabilities and real hardware demonstrations are accessible via our publicly available User Guides and Application Notes in executable Jupyter notebook form.

\n

Ultimately, we believe that building and operating large-scale quantum computing systems will be effectively impossible without the integration of the capabilities encapsulated in quantum firmware. There are many concepts to be drawn from across the fields of machine learning and robotic control in the drive for performance and autonomy, and TensorFlow has proven an efficient language to support the development of the critical toolsets.

\n

A brief history of QC, from Shor to quantum machine learning\nThe quantum computing boom started in 1994 with the discovery of Shor’s algorithm for factoring large numbers. Public key cryptosystems — which is to say, most encryption — rely on the mathematical complexity of factoring primes to keep messages safe from prying computers. By virtue of their approach to encoding and processing information, however, quantum computers are conjectured to be able to factor primes faster — exponentially faster — than a classical machine. In principle this poses an existential threat not only to national security, but also emerging technologies such as cryptocurrencies.

\n

This realization set in motion the development of the entire field of quantum computing. Shor’s algorithm spurred the NSA to begin one of its first ever open, University-driven research programs asking the question of whether such systems could be built. Fast forward to 2020 and quantum supremacy has been achieved, meaning that a real quantum computing hardware system has performed a task that’s effectively impossible for even the world’s largest supercomputers.

\n

Quantum supremacy is an important technical milestone whose practical importance in solving problems of relevance to end users remains a bit unclear. Our community is continuing to make great progress towards quantum advantage - a threshold indicating that it’s actually cheaper or faster to use a quantum computer for a problem of practical relevance. And for the right problems, we think that within the next 5-10 years we’ll cross that threshold with a quantum computer that isn’t that much bigger than the ones we have today. It just needs to perform much better.

\n

So, which problems are the right problems for quantum computers to address first?

\n

In many respects, Shor’s algorithm has receded in importance as the scale of the challenge emerged. A recent technical analysis suggests that we’re unlikely to see Shor deployed at a useful scale until 2039. Today, small-scale machines with a couple of dozen interacting qubits exist in labs around the world, built from superconducting circuits, individual trapped atoms, or similarly exotic materials. The problem is that these early machines are just too small and too fragile to solve problems relevant to factoring.

\n

To factor a number sufficiently large to be relevant in cryptography, one would need a system composed of thousands of qubits capable of handling trillions of operations each. This is nothing for a conventional machine where hardware can run for a billion years at a billion operations per second and never be likely to suffer a fault. But as we’ve seen it’s quite a different story for quantum computers.

\n

These limits have driven the emergence of a new class of applications in materials science and chemistry that could prove equally impactful, using much smaller systems. Quantum computing in the near term could also help develop new classes of artificial intelligence systems. Recent efforts have demonstrated a strong and unexpected link between quantum computation and artificial neural networks, potentially portending new approaches to machine learning.

\n

This class of problem can often be cast as optimizations where input into a classical machine learning algorithm comes from a small quantum computation, or where data is represented in the quantum domain and a learning procedure implemented. TensorFlow Quantum provides an exciting toolset for developers seeking new and improved ways to exploit the small quantum computers existing now and in the near future.

\n

Still, even those small machines don’t perform particularly well. Q-CTRL’s quantum firmware enables users to extract maximum performance from hardware. Thus we see that TensorFlow has a critical role to play across the emerging quantum computing software stack - from quantum firmware through to algorithms for quantum machine learning.

\n

Resources if you’d like to learn more\nWe appreciate that members of the TensorFlow community may have varying levels of familiarity with quantum computing, and that this overview was only a starting point. To help readers interested in learning more about quantum computing we’re happy to provide a few resources:

\n

For those knowledgeable about machine learning, Q-CTRL has also produced a series of webinars introducing the concept of Robust Control in quantum computing and even demonstrating reinforcement learning to discover gates on real quantum hardware.\nIf you need to start from zero, Q-CTRL has produced a series of introductory video tutorials helping the uninitiated begin their quantum journey via our learning center. We also offer a visual interface enabling new users to discover and build intuition for the core concepts underlying quantum computing - including the impact of noise on quantum hardware.\nJack Hidary from X wrote a great text focused on linking the foundations of quantum computing with how teams today write code for quantum machines.\nThe traditional “formal” starting point for those interested in quantum computing is the timeless textbook from “Mike and Ike”

", "url": "https://mayckongiovani.xyz/pensieve/boosting-quantum-computer-hardware", "title": "Boosting quantum computer hardware performance with TensorFlow", "summary": "Boosting quantum computer hardware performance with TensorFlow", "date_modified": "2020-11-03T00:00:00.000Z", "tags": [ "Quantum Computing", "TensorFlow" ] }, { "id": "https://mayckongiovani.xyz/pensieve/simulating-subatomic-physics-on-a-quantum-computer", "content_html": "

When two heavy ions collide inside a particle accelerator, they produce a near-perfect fluid through which an assortment of fundamental particles swim. For scientists to accurately simulate even a tiny drop of this hot and dense subatomic brew with a classical computer, it would take longer than the age of the universe.

\n

A collaboration of theorists, experimentalists and computer scientists are exploring how they could crack the mathematics with the help of a powerful and emerging tool: quantum computing.

\n

“It’s time for us to start thinking about how we can benefit from advances in quantum hardware,” says James Mulligan, a postdoc at the US Department of Energy’s Lawrence Berkeley National Laboratory working on the ALICE Experiment.

\n

Today, physicists use clusters of high-powered classical computers to crunch numbers and generate simulations of the subatomic world. Classical computers reduce complex information into combinations of ones and zeros called bits. A computer’s hardware processes and encodes these bits by releasing tiny bursts of electrons (for example, a one could be represented by a charge and a zero with no charge). From these simple building blocks, computers can perform incredibly complex calculations, but they require a huge amount of time and resources.

\n

A quantum computer takes this principle of classical computing and adds a thick layer of nuance.

\n

“It hinges on the fact that quantum space has properties that classical bits of information do not,” Mulligan says. “A quantum object [such as a particle] can simultaneously be in two states at once, something we call superposition.”

\n

Quantum computing swaps the deterministic property of “charge vs. no charge” for a quantum property such as an electron’s spin. Spin is an intrinsic characteristic that—when measured—will settle into one of two possible states: ‘spin-up’ or ‘spin-down.’ But because it’s a quantum property, until a measurement is made, the electron’s spin is a superposition of both possibilities.

\n

“If you think of the electron’s spin like a needle rotating around inside a sphere, it could point in any direction,” says Xiaojun Yao, a postdoc at the Massachusetts Institute of Technology. “When a measurement is made, it will be either spin up or spin down, but what matters is what happens before we do the measurement. We can gain some advantage.”

\n

Each qubit—that is, the quantum equivalent of a bit—behaves like a microscopic probability spinner that can be tuned and controlled by the computer’s programming. The tuning (which is represented by a complex number) replaces the binary ‘one or zero’ notation of classical bits.

\n

“In practice, one qubit cannot be more powerful than a classical bit,” Yao says. \"But multiple qubits can be more powerful than multiple classical bits. Theoretically, a small collection of qubits could store a huge amount of information.”

\n

This switcheroo from binary to non-binary dramatically increases a quantum computer’s ability to perform multifaceted calculations. “It’s exponential,” says Felix Ringer, a postdoc at Berkeley Lab. “A calculation using n number of qubits on a quantum computer would need 2n classical bits on a standard computer.”

\n

While quantum computers carry little advantage for simple tasks like typing text messages or streaming videos, the implications for certain types of complex calculations are enormous.

\n

“We can use the quantum processes happening inside a quantum computer to simulate the quantum processes happening inside our experiment,” Ringer says. “Eventually, we could use quantum computers to solve big outstanding problems in our theoretical understanding of the world.”

\n

Today’s quantum computers are still in their infancy and lack the intricacy and reliability of classical computers. But Mulligan, Yao and Ringer want to be ready when the technology matures.

\n

Recently, they performed a proof-of-principle study—with funding from DOE’s Office of Science and Berkeley Lab—that examined how the properties of a heavy particle could be impacted after it traversed through a quark-gluon plasma. Quark gluon plasmas are the hottest and densest known state of matter and produced during heavy ion collisions, such as those inside the Relativists Heavy Ion Collider at the DOE’s Brookhaven National Laboratory and the Large Hadron Collider at CERN. The team of scientists ran their simulation on both a real quantum computer built by IBM and on a classical computer configured to imitate a quantum computer.

\n

“It was slightly more difficult than I expected,” Yao says. “The current quantum machines are noisy, and you have to apply error mitigations to account for the noise and get meaningful results.\"

\n

After several months of honing their code and testing the outcomes, they were able to demonstrate that these kinds of calculations are already feasible on today’s quantum computers.

\n

“It’s important to start now and to explore these techniques,” Ringer says. “Potentially, the particle physics community could even have an impact on shaping the evolution of quantum computing by proposing interesting problems that the next generation of machines could solve. There’s many opportunities for collaboration and innovation.”

", "url": "https://mayckongiovani.xyz/pensieve/simulating-subatomic-physics-on-a-quantum-computer", "title": "Simulating subatomic physics on a quantum computer", "summary": "How quantum computing could be a game-changer in our understanding of quantum processes.", "date_modified": "2020-11-03T00:00:00.000Z", "tags": [ "Quantum Computing" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-11-designing-apis-for-correctness-types-lifetimes-and-capabilit", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

Designing APIs for Correctness: Types, Lifetimes, and Capabilities as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Refinement is a simulation relation between spec and impl:

\n
ImplSpecbehaviors(Impl)behaviors(Spec).\\mathrm{Impl} \\sqsubseteq \\mathrm{Spec}\\quad\\Rightarrow\\quad \\forall \\text{behaviors}(\\mathrm{Impl}) \\subseteq \\text{behaviors}(\\mathrm{Spec}).ImplSpecbehaviors(Impl)behaviors(Spec).
\n

Keep the model small enough to run in seconds; large models rot.

\n

Treat counterexamples as regression tests: reduce, encode, and replay.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart LR\n  spec[\"Spec (TLA+/PlusCal)\"] --> mc[\"Model Check\"]\n  mc --> refine[\"Refinement / Invariants\"]\n  refine --> impl[\"Implementation (Rust/Go)\"]\n  impl --> tests[\"Fuzz / PBT / Differential\"]\n  tests --> spec
\n

Implementation notes

\n

Make the model executable enough to generate counterexamples quickly.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Practical tip: make the model \"executable\" enough to emit traces you can replay.\n// Then treat traces as regression inputs for your implementation.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-11-designing-apis-for-correctness-types-lifetimes-and-capabilit", "title": "Designing APIs for Correctness: Types, Lifetimes, and Capabilities", "summary": "Engineering notebook entry (November 2020): Designing APIs for Correctness: Types, Lifetimes, and Capabilities.", "date_modified": "2020-11-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-10-verified-crypto-interfaces-constant-time-boundaries-and-misu", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

A focused memo on Verified Crypto Interfaces: Constant-Time Boundaries and Misuse Resistance: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

In temporal logic terms, the common shape is:

\n
SafetyInvLivenessProgress.\\mathrm{Safety} \\equiv \\Box\\,\\mathrm{Inv}\\qquad\\qquad\n\\mathrm{Liveness} \\equiv \\Box\\Diamond\\,\\mathrm{Progress}.SafetyInvLiveness□◊Progress.
\n

Keep the model small enough to run in seconds; large models rot.

\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  spec[\"Spec (TLA+/PlusCal)\"] --> mc[\"Model Check\"]\n  mc --> refine[\"Refinement / Invariants\"]\n  refine --> impl[\"Implementation (Rust/Go)\"]\n  impl --> tests[\"Fuzz / PBT / Differential\"]\n  tests --> spec
\n

Implementation notes

\n

Treat invariants as code: version, review, and test them.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Practical tip: make the model \"executable\" enough to emit traces you can replay.\n// Then treat traces as regression inputs for your implementation.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-10-verified-crypto-interfaces-constant-time-boundaries-and-misu", "title": "Verified Crypto Interfaces: Constant-Time Boundaries and Misuse Resistance", "summary": "Adversarial-first deep dive (October 2020): Verified Crypto Interfaces: Constant-Time Boundaries and Misuse Resistance.", "date_modified": "2020-10-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-09-symbolic-execution-when-brute-force-becomes-logic", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

Symbolic Execution: When Brute Force Becomes Logic as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A common way to state linearizability is existence of a sequential history:

\n
Hs: Hs is sequential HsHc.\\exists H_s:\\ H_s \\text{ is sequential } \\wedge H_s \\sim H_c.Hs: Hs is sequential HsHc.
\n

Treat counterexamples as regression tests: reduce, encode, and replay.

\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart LR\n  spec[\"Spec (TLA+/PlusCal)\"] --> mc[\"Model Check\"]\n  mc --> refine[\"Refinement / Invariants\"]\n  refine --> impl[\"Implementation (Rust/Go)\"]\n  impl --> tests[\"Fuzz / PBT / Differential\"]\n  tests --> spec
\n

Implementation notes

\n

Make the model executable enough to generate counterexamples quickly.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Practical tip: make the model \"executable\" enough to emit traces you can replay.\n// Then treat traces as regression inputs for your implementation.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-09-symbolic-execution-when-brute-force-becomes-logic", "title": "Symbolic Execution: When Brute Force Becomes Logic", "summary": "Correctness-focused deep dive (September 2020): Symbolic Execution: When Brute Force Becomes Logic.", "date_modified": "2020-09-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-08-concurrency-testing-in-rust-loom-schedules-and-determinism", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

A focused memo on Concurrency Testing in Rust: Loom, Schedules, and Determinism: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A common way to state linearizability is existence of a sequential history:

\n
Hs: Hs is sequential HsHc.\\exists H_s:\\ H_s \\text{ is sequential } \\wedge H_s \\sim H_c.Hs: Hs is sequential HsHc.
\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n

Keep the model small enough to run in seconds; large models rot.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  props[\"Properties\"] --> inv[\"Invariants\"]\n  inv --> model[\"Model\"]\n  model --> cex[\"Counterexamples\"]\n  cex --> tests[\"Regression Tests\"]\n  tests --> model
\n

Implementation notes

\n

Keep refinement boundaries explicit: what the spec promises vs what code enforces.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Practical tip: make the model \"executable\" enough to emit traces you can replay.\n// Then treat traces as regression inputs for your implementation.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-08-concurrency-testing-in-rust-loom-schedules-and-determinism", "title": "Concurrency Testing in Rust: Loom, Schedules, and Determinism", "summary": "Adversarial-first deep dive (August 2020): Concurrency Testing in Rust: Loom, Schedules, and Determinism.", "date_modified": "2020-08-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-07-fuzzing-protocol-parsers-when-inputs-are-adversarial", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

Fuzzing Protocol Parsers: When Inputs Are Adversarial as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

In temporal logic terms, the common shape is:

\n
SafetyInvLivenessProgress.\\mathrm{Safety} \\equiv \\Box\\,\\mathrm{Inv}\\qquad\\qquad\n\\mathrm{Liveness} \\equiv \\Box\\Diamond\\,\\mathrm{Progress}.SafetyInvLiveness□◊Progress.
\n

Treat counterexamples as regression tests: reduce, encode, and replay.

\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  spec[\"Spec (TLA+/PlusCal)\"] --> mc[\"Model Check\"]\n  mc --> refine[\"Refinement / Invariants\"]\n  refine --> impl[\"Implementation (Rust/Go)\"]\n  impl --> tests[\"Fuzz / PBT / Differential\"]\n  tests --> spec
\n

Implementation notes

\n

Treat invariants as code: version, review, and test them.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Workflow:\n1) Write a model with a few state variables.\n2) State invariants (safety) and progress conditions (liveness).\n3) Run model checker with tight bounds.\n4) Minimize counterexamples into test cases.\n5) Iterate until failures are boring.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-07-fuzzing-protocol-parsers-when-inputs-are-adversarial", "title": "Fuzzing Protocol Parsers: When Inputs Are Adversarial", "summary": "Threat-model-first analysis (July 2020): Fuzzing Protocol Parsers: When Inputs Are Adversarial.", "date_modified": "2020-07-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-06-differential-testing-using-other-implementations-as-oracles", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

A focused memo on Differential Testing: Using Other Implementations as Oracles: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

In temporal logic terms, the common shape is:

\n
SafetyInvLivenessProgress.\\mathrm{Safety} \\equiv \\Box\\,\\mathrm{Inv}\\qquad\\qquad\n\\mathrm{Liveness} \\equiv \\Box\\Diamond\\,\\mathrm{Progress}.SafetyInvLiveness□◊Progress.
\n

Keep the model small enough to run in seconds; large models rot.

\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  props[\"Properties\"] --> inv[\"Invariants\"]\n  inv --> model[\"Model\"]\n  model --> cex[\"Counterexamples\"]\n  cex --> tests[\"Regression Tests\"]\n  tests --> model
\n

Implementation notes

\n

Keep refinement boundaries explicit: what the spec promises vs what code enforces.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Workflow:\n1) Write a model with a few state variables.\n2) State invariants (safety) and progress conditions (liveness).\n3) Run model checker with tight bounds.\n4) Minimize counterexamples into test cases.\n5) Iterate until failures are boring.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-06-differential-testing-using-other-implementations-as-oracles", "title": "Differential Testing: Using Other Implementations as Oracles", "summary": "Spec-driven research note (June 2020): Differential Testing: Using Other Implementations as Oracles.", "date_modified": "2020-06-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-05-property-based-testing-finding-bugs-you-didn-t-imagine", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

Property-Based Testing: Finding Bugs You Didn’t Imagine as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

In temporal logic terms, the common shape is:

\n
SafetyInvLivenessProgress.\\mathrm{Safety} \\equiv \\Box\\,\\mathrm{Inv}\\qquad\\qquad\n\\mathrm{Liveness} \\equiv \\Box\\Diamond\\,\\mathrm{Progress}.SafetyInvLiveness□◊Progress.
\n

Write properties in plain language next to the formal version.

\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  props[\"Properties\"] --> inv[\"Invariants\"]\n  inv --> model[\"Model\"]\n  model --> cex[\"Counterexamples\"]\n  cex --> tests[\"Regression Tests\"]\n  tests --> model
\n

Implementation notes

\n

Treat invariants as code: version, review, and test them.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Workflow:\n1) Write a model with a few state variables.\n2) State invariants (safety) and progress conditions (liveness).\n3) Run model checker with tight bounds.\n4) Minimize counterexamples into test cases.\n5) Iterate until failures are boring.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-05-property-based-testing-finding-bugs-you-didn-t-imagine", "title": "Property-Based Testing: Finding Bugs You Didn’t Imagine", "summary": "Threat-model-first analysis (May 2020): Property-Based Testing: Finding Bugs You Didn’t Imagine.", "date_modified": "2020-05-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-04-refinement-proving-your-implementation-matches-the-spec", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

Refinement: Proving Your Implementation Matches the Spec as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A common way to state linearizability is existence of a sequential history:

\n
Hs: Hs is sequential HsHc.\\exists H_s:\\ H_s \\text{ is sequential } \\wedge H_s \\sim H_c.Hs: Hs is sequential HsHc.
\n

Keep the model small enough to run in seconds; large models rot.

\n

Write properties in plain language next to the formal version.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  props[\"Properties\"] --> inv[\"Invariants\"]\n  inv --> model[\"Model\"]\n  model --> cex[\"Counterexamples\"]\n  cex --> tests[\"Regression Tests\"]\n  tests --> model
\n

Implementation notes

\n

Treat invariants as code: version, review, and test them.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Practical tip: make the model \"executable\" enough to emit traces you can replay.\n// Then treat traces as regression inputs for your implementation.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-04-refinement-proving-your-implementation-matches-the-spec", "title": "Refinement: Proving Your Implementation Matches the Spec", "summary": "Engineering notebook entry (April 2020): Refinement: Proving Your Implementation Matches the Spec.", "date_modified": "2020-04-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-03-model-checking-at-scale-state-explosion-and-how-to-cheat", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

A focused memo on Model Checking at Scale: State Explosion and How to Cheat: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A common way to state linearizability is existence of a sequential history:

\n
Hs: Hs is sequential HsHc.\\exists H_s:\\ H_s \\text{ is sequential } \\wedge H_s \\sim H_c.Hs: Hs is sequential HsHc.
\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n

Write properties in plain language next to the formal version.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart LR\n  spec[\"Spec (TLA+/PlusCal)\"] --> mc[\"Model Check\"]\n  mc --> refine[\"Refinement / Invariants\"]\n  refine --> impl[\"Implementation (Rust/Go)\"]\n  impl --> tests[\"Fuzz / PBT / Differential\"]\n  tests --> spec
\n

Implementation notes

\n

Treat invariants as code: version, review, and test them.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Practical tip: make the model \"executable\" enough to emit traces you can replay.\n// Then treat traces as regression inputs for your implementation.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-03-model-checking-at-scale-state-explosion-and-how-to-cheat", "title": "Model Checking at Scale: State Explosion and How to Cheat", "summary": "Adversarial-first deep dive (March 2020): Model Checking at Scale: State Explosion and How to Cheat.", "date_modified": "2020-03-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-02-tla-for-engineers-modeling-the-minimal-thing-that-can-break-", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

A focused memo on TLA+ for Engineers: Modeling the Minimal Thing That Can Break You: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

In temporal logic terms, the common shape is:

\n
SafetyInvLivenessProgress.\\mathrm{Safety} \\equiv \\Box\\,\\mathrm{Inv}\\qquad\\qquad\n\\mathrm{Liveness} \\equiv \\Box\\Diamond\\,\\mathrm{Progress}.SafetyInvLiveness□◊Progress.
\n

Write properties in plain language next to the formal version.

\n

Model the scheduler explicitly when concurrency is part of the threat model.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  spec[\"Spec (TLA+/PlusCal)\"] --> mc[\"Model Check\"]\n  mc --> refine[\"Refinement / Invariants\"]\n  refine --> impl[\"Implementation (Rust/Go)\"]\n  impl --> tests[\"Fuzz / PBT / Differential\"]\n  tests --> spec
\n

Implementation notes

\n

Treat invariants as code: version, review, and test them.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Practical tip: make the model \"executable\" enough to emit traces you can replay.\n// Then treat traces as regression inputs for your implementation.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-02-tla-for-engineers-modeling-the-minimal-thing-that-can-break-", "title": "TLA+ for Engineers: Modeling the Minimal Thing That Can Break You", "summary": "Design memo (February 2020): TLA+ for Engineers: Modeling the Minimal Thing That Can Break You.", "date_modified": "2020-02-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/quantum-computing", "content_html": "

When was the day that quantum became normalised?\n‘Quantum’, as a modifier within a sentence, has typically denoted something entirely beyond the realm of ordinary comprehension — the demesne of cats at once undead and unliving, of profound theoretical breakthroughs regretted, of keys to new dimensions. Sat on the lip of the 2020s, however, it is both exciting and oddly disconcerting to discover that quantum, such a synonym for the terminally unpredictable, has become a sure shot, an all-but-safe bet.\nOr, at least, quantum computing has. Since the 1990s it has been one of the most anticipated tickmarks on the developmental technological calendar. Now, we are passing between decisive phases in the lifecycle of this unique branch of computing. No longer merely a theoretical preserve, or a lab-bound pursuit, quantum computing is now a major channel of investment for large companies, small companies, VCs, academic institutions, and states. More and more, we are finding applied usage for the prime descendant of the classical computer; to the extent that, come the end of the 20s, quantum computing might be feasibly considered the decade’s definitive technology.\nBut why? And how?\nWhat Are Quantum Computers?\nQuantum computers, and quantum computing, make use of quantum phenomena to execute processes faster. ‘Classical’ computing processes information through regular binaries, often colloquially referred to as ‘0s and 1s’. Quantum principles like superposition (wherein a particle exists in multiple quantum states simultaneously, instead of in one place and state) and entanglement (wherein multiple particles share spatial proximity in such a way as understanding the nature of one divests greater understanding of the other, or others), on the other hand, can be used to allow a computer to process beyond regular binary principles.\nThe basic unit of quantum computing is, therefore, not the bit — a value set to 0 or 1, then arranged into long denotative strings — but the qubit, a value that can be both 0 and 1 simultaneously. Special kinds of atoms that can entertain such two-way states, like “ions, photons, or tiny superconducting circuits”, are therefore the building blocks of quantum computing. The quantum computer reads the degree to which a given qubit is ‘0’ and how much of it is ‘1’. This is often mapped out on a sort of qubit ‘globe’, whereon one point on the globe denotes the quantity of ‘0’ and of ‘1’ that the qubit possesses. To this end, you might more easily think of a value of ‘0’ being represented by the globe’s latitude and a value of ‘1’ by its longitude. Once the ‘coordinates’ of the qubit, and others in the string, have been determined, the computer can proceed with the function denoted.\nOur present computing models were founded on machines essentially designed to make calculus more straightforward — despite our almost deific conception of computing intelligence, the classical computing model is not necessarily as well-optimised for certain among the other tasks we now seek to use it for. As put in a recent report by Morgan Stanley, “While the classical computer is very good at calculus, the quantum computer is even better at sorting, finding prime numbers, simulating molecules, and optimization, and thus could open the door to a new computing era.”\nQuantum computing does not concern one single computing model. There are a variety of viable methods of quantum computing, including via quantum gate array (otherwise known as the quantum circuit), one-way, adiabatic, and topological methods. The adiabatic model is one of the most-implemented at present, and best for solving optimisation problems, though it cannot thoroughly outstrip a classical supercomputer in performance. The gate array model, the other most-implemented model to this point, is more powerful but considerably more difficult and expensive to build.\nJust as there are multiple quantum computing models, there are an array of floated physical realisations of quantum computers. These include the use of superconductors, trapped ions, linear optics, and even the Bose-Einstein condensate we saw be momentously recreated a couple of months back on the ISS.\nBuilding a Qubit\nFor anyone who’s sat with a laptop straining through activity, and burning a hole through their trouser-leg in the process, it may come as a surprise to discover that quantum computers operate at very low temperatures. Colder temperatures, in fact, than can be found in the vacuum of space. Qubits, however powerful, are delicate things, and can be disturbed from their course very easily by any number of complicating elements, heat included.\nIn order to make one of these fine, profound things, you need first an atomic or subatomic substance capable of sustaining a coherent quantum superposition between two states. There are a number of ways of doing so. Cosmos magazine reported that an Australian team led by Michelle Simmons at the University of New South Wales created atomic qubits by placing a single phosphorus atom on a silicon chip, determining the position of the resulting qubit in the crystal lattice from its quantum spin information. You could also run a current through a superconductor, and chart the resultant superposition.\nAn additional means of creating qubits is to dislodge an electron from an atom, thereby making an ion. This ion is then held captive by electromagnetism, and lasers fired at it to provokes changes in quantum state. By such a means, you have a ‘trapped ion’ quantum computer.\nWhy Quantum Computers?\nIt all sounds perfectly impressive, all quite nice — but what takes quantum computing from being blarney-exclusive of the theoretical-scientific community, and into blarney-incipient of the world of applied science, is the vast range of possibilities in use that a quantum computer possesses.\nHaving been freed from the restrictions of binary processing, quantum computers are able to move through operations at an exponentially faster rate than a regular computer, all the while using considerably less energy. This gives quantum computers a tremendous implementation advantage over regular computers — for instance, being able to solve more difficult NP-complete problems in a fraction of the time it would take a classical computer — and that’s before you even get to specific use-cases.\n“The advent proper of quantum computing does not sound the death knell for classical computing.”\nIt should be said — the advent proper of quantum computing does not sound the death knell for classical computing, anymore than the advent of quantum physics rendered all the gains of classical mechanics moot. As in science, quantum computing is merely poised to succeed, and spectacularly so, in the realms where the classical falters. Consumers need not fear a mass-obsolescence of their gear; developers need not be concerned, if any were or continue to be, about the outmoding of their skills. Just as we’ve observed limitations in the powers of classical computers — to optimise, to simulate, to factorise — quantum computers will have weaker areas of their own, including in such everyday tasks as emailing, and the creation and use of documents. Just as a society entirely made up of professionals, and no tradespeople, wouldn’t get very far, the profundity of quantum computing is not the answer to each and every one of our needs and problems.\nIt stands a good chance at solving quite a few of them, however.\nAll Vectors to Brace Position\nQuantum computing has progressed relatively rapidly as a field, beginning ostensibly with Heisenberg’s coining of the Uncertainty Principle in 1927. Its mythological phase was announced via Richard Feynman’s challenge at an IBM/MIT conference in 1981, and the field enjoyed its first practical breakthrough in 1994, when Peter Shor demonstrated that a quantum circuit could factor primes exponentially faster than a classical computer.\nMany years hence, quantum computing is a fixture of interest for large corporations (IBM), specialist start-ups, and, increasingly, the public sector. States are investing billions of dollars in quantum technologies. That’s because, from policy creation to data analysis, and all the way out to some of the most fanciful reaches of experimental physics and chemistry, this new technology will have a pronounced effect.\nChemistry, Cybersecurity & Search\nYou may already have begun guessing which industry vectors are most likely to be upended by a coming quantum revolution — it’s a good bet to suggest that any industry whose bread and butter is composed of complex logical problems will be among the first and most dramatically affected.\nCybersecurity, for one, will be changed beyond much present recognition by a widespread adoption of quantum computing. There is some thought even now that as a society we are relatively haphazard when it comes to taking steps to secure ourselves online, even aside from those whom do less than is strictly advisable in the cause of this effort. This impression is likely to be compounded by a post-quantum-computing status quo. Rules of encryption will be rewritten overnight. There is no extant factorisation-based cryptographic system that a quantum computer could not break with contemptuous ease. Cryptographic systems will, as a result, presumably get more creative (using more problem- or lattice-based encryption), and we may see a move to more secure quantum-based encrypted systems for storing valuable information and warding against hacking.\nLikewise, any field of technology where optimisation is important will undergo pronounced changes following the adoption of quantum computing. No database is a match for the speed of processing native to a quantum computer. Quantum search, facilitated by quantum algorithms like Grover’s algorithm, allow a more comprehensive return of pertinent results from a database, in fewer queries of that database, than could ever be accomplished by a classical computer. As an unsurprising result, Google has proven one of the keenest parties when it comes to investing in research into the possibilities of quantum computing.\nOf course, quite another set of possibilities in innovation and research will be made possible by quantum computing owing to the fact that, with them in our hands, we will have an authentic environment in which to run quantum simulations. Trying to simulate quantum environments classically is inexact and highly inefficient at best and, as one’s experimental ambitions grow, impossible at the most interesting degrees. Given access to a real quantum computing environment, capable of accurately modelling and simulating quantum conditions, we will see exponential gains made in the kinds of chemistry and nanotechnology which rely on better understandings of quantum mechanics.\nThe Machine Learning Question\nWhenever developments in technology are the subject of discussion, everyone wants to know — “What is this new gear’s effect on machine learning likely to be?” And, if your inquisitor is among the more enthusiastic variety, “Is it likely to destroy us all?”\nWell, machine learning, as conventionally understood, will be introduced to a new era by quantum computing — it is already the subject of major initiatives to demonstrate quantum supremacy[2]. An algorithm for integer factorisation, which is already understood to be a preserve exclusive to quantum computing, will instantly obsole any conventionally held understandings of the limits of the systematic intelligence, even against unintuitive patterns, which can be achieved by a computer.\nThe sheer volume of data which a quantum computer can get through disposes it well to machine learning. Non-supervised learning and reinforcement learning will almost certainly accelerate in development thanks to quantum technologies. As we’ve seen, quantum computers can support considerably more ambitious algorithms than classical computers, which, as a result, are coming near to exhaustion of their possibilities, as far as the interests of certain fields run (including fields “pharmaceutical, life scientific and [financial]”).\nCommunication via the Flaws of Diamonds\nQuantum computing doesn’t begin and end with the quantum ‘desktops’[1] of the future — information networks based on quantum phenomena are high up on the list of desirable outcomes from the next chapters of quantum computational research.\nIn accordance with what we just saw vis-a-vis quantum cryptography, any quantum internet would be considerably faster than the classical kind. It would also be more secure; after all, as this report by Princeton notes, “[a]ny attempt to eavesdrop on[a quantum internet] transmission [by hackers] will perturb its state.” As we noted above, the principles of quantum entanglement are central to the feasibility of a quantum computer and a quantum internet. One qubit being unlawfully observed or disrupted? You’ll have an equivalent ‘twin’ qubit that can tell you all about it. In a quantum network, the state of one qubit will tell you a great deal about others with which it is entangled, no matter the physical distance between them.\n“In a quantum network, the state of one qubit will tell you a great deal about others with which it is entangled, no matter the physical distance between them.”\nOne of the suggested means by which a quantum internet might be built is quite stirring to the imagination. It’s the work of Princeton’s assistant professor of electrical engineering, Nathalie de Leon, who believes that the key to this new kind of informational network is held in the body of diamond. To be more specific, in the flaws of a diamond.\nThe colours we see in the sparkle of a diamond are in fact flaws in the body; but, with a slight modification to their chemical makeup (replacing two carbon atoms with a silicon atom), these regions of flaw are made into perfect photon receptacles. Perfect, in other words, for the transmission of information within a quantum internet. We could in an imaginable future find ourselves communicating on a quantum net, via the flaws of diamonds.\nAside from speed and security, a quantum internet could represent a considerable energy saving, owing to the lower rate of consumption by quantum computers. The Internet at present uses approximately 10% of the world’s total electricity, and more if you factor in the additional energy costs of data centres and the cloud. Not only do single quantum computer units use less energy than their classical counterparts; they have scope for architecture and a cloud system of their own, both of which could represent small but direct reductions of the global-digital carbon footprint.\nQuantum Disruption\nThere is, as we’ve seen, ample disruptive potential in quantum computing as a distinct field of technology — and it seems as though a vast amount of that disruption will be additive and positive, increasing overall knowledge capital and augmenting existing processes and infrastructure instead of sweeping it away.\nIt is harder to imagine any region of scientific and technological inquiry having a higher barrier-to-start-up-entry than quantum computing. Nevertheless, there are a number of promising outfits with quantum computing applications at their core, all of them heavily backed by venture capital.\nRahko\nRahko have set out to go about “solving chemistry with quantum machine learning”. Comprised of a team based in London, Rahko’s quantum machine learning platform is focused on the creation of applied and commercially purposeful insights into quantum chemistry. They raised £1.3M seed from Balderton in their latest funding round.\nQuantifi\nQuantifi, founded in New York, sit at the further frontier of what’s commercially possible with quantum computing solutions, as regards risk and deal analytics.\nCrypto Quantique\nCrypto Quantique are attempting to pre-empt the seismic shifts in crytographic best practices by developing an end-to-end quantum IoT security platform that is, they suggest, all but impregnable.\nFurther Down the Quantum Tunnel\nAs fabulous as many of these applied uses of this fantastic new technology are, I would be remiss were I to suggest that looking further afield, and permitting ourselves some slightly more fanciful speculation about what quantum computing advances will bring, is anything other than the most fun part of any article like this one. What’s more, given quantum computing technology has such a broad church of potential uses, we have even freer license to speculate on things to come in a future full of quantum technology.\nThere are hosts of medical applications for quantum computing. More detailed models of molecular structures will be built; new pharmaceutical products created thereby; and, it’s as likely as not, long-standing illnesses cured at last.\nWe might see erosion-free industrial process; the addition of sufficient mile-range to make electric cars not merely an option, but the option;\nLooking into somewhat darker harbours, there have been suggestions in some quarters that quantum computing might be purposed as a kind of natural enemy of blockchain, though the increase of institutional interest in blockchain, which is rising almost as fast as interest in quantum computing, may put paid to this by itself. Nevertheless, major blockchain initiatives like cryptocurrency could be made extinct through security compromise — in the words of representatives of UK cybersecurity firm Post Quantum, bitcoin is “not quantum computer proof.”\nQuantum computing is also of particular stated interest to military institutions, including the U.S. Airforce. Speaking to SpaceNews, Michael Hayduk, chief of the computing and communications division at the Air Force Research Laboratory approvingly adjudged quantum computing “a very disruptive technology.” Quantum computing could be used to perfect the synchrony of weaponry; as the Chinese example proves, it can also be used to produce unhackable satellites.\nLooking more broadly still, one thing that quantum computing widely adopted does promise is pace. Pace of learning, pace of processing, pace of optimisation — well used, such rapid mastication of such vast troves of data will indubitably lead to greater innovation. Indeed, it would stimulate a race of innovation, one whose dimensions are tailored precisely to the degree of competitive implementations of quantum technologies enacted by rival commercial actors, sector-by-sector.\n“Quantum computing could initiate a different kind of ‘quantum supremacy’, geopolitical in nature, that few nations will wish to be on the receiving end of.”\nAs it is, technological innovation is already proceeding rapidly towards a kind of actuarial escape velocity. As China’s own pace of innovation accelerates in tandem with the global west, even more pressurised incentive is created to continue innovating. Given quantum computing will only accelerate the gains of material science even faster and further, it’s possible that it will create nightmares of scaling, and of the industrial-scale deployment of new technologies.\nThis bottlenecking may, inasmuch, create a huge incentive for greater international collaboration. There is already one mooted and contested notion of quantum supremacy; there might, in the instance of scale-adoption of quantum computing, come the possibility of a more practical quantum supremacy, geopolitical in nature, that few nations will wish to be on the receiving end of.\nThe Trouble with Quanta\nThat’s not to say that quantum computing is a sure-shot for the near future, though it does seem progressively more likely that we’ll see the method graduate from the emergent stage into tackling classically impractical problems — like ultra-rapid integer factorisation, or elite cryptography — in the next decade at least.\nStability\nThere is the potential for instability in quantum processes, as qubits are liable to profound distortion by only minor complications in the context in which they work. The collective attempt to find a panacea for this issue is known as quantum error correction. Decoherence[3] is, understandably, a big problem for particles (or, for that matter, human-sized congregations of particles) that insist on occupying multiple states of being at once. This represents a potential compromise to the utility of even the most powerful of quantum computers.\nOne of the primary means of combatting decoherence, which is to some extent inevitable at some stage of a quantum event, is to have quantum gates faster than decoherence time —and as we observed earlier, quantum gate models are the most demanding and expensive to construct and maintain. Similarly, any functional quantum computer would have to physically scale to accommodate the number of qubits, and furthermore would have to develop a rubric by which qubits could be ‘read’ for the operative functions they denote.\nNot an intrinsic, but an infrastructural ‘drawback’ of quantum computing is the degree of platform transitioning and upgrading it will oblige of service providers across the internet. A company able to develop and scale a solution based on quantum computing — whether in cybersecurity, finance, instance messaging or data science — would rapidly develop an almost unimpeachable advantage over its classical competitors, though doing so would be difficult. The transition would have to be managed and, one would hope, reasonably cooperative. Of course, developed for political ends, a quantum computer that does not have to worry about non-quantum defence mechanisms standing in its way could make for a rather potent weapon.\nIn a Super Position\nThe panorama visible at the vanguard of developments in quantum computing is the kind liable to make your mouth dry. Quantum computers come to us not, in the manner of classical computers, as portals to a strange new world, but rather one which allows us to take our present world in a revised definition.\nOf the manifold issues, sociopolitical and ecological, facing the world at present, some of which can be partially attributable to the principle, as opposed to the fact, of innovation[4], there are two ostensible solutions — to moderate ourselves out of the hole we’ve dug for ourselves, or innovate out of it. The speed, efficiency and cleanliness by which quantum computing is capable of doing its work makes the latter option, by far the most reconcilable to this most sybaritic and consumptive of times, more palatable.\n[1] Many experts find it unlikely that quantum computing will have everyday home uses — your laptop or desktop is unlikely to feature a quantum engine.\n[2] Quantum supremacy can be defined as a kind of proof of a quantum computer’s performance, wherein it completes a function or operation that no classical computer could do, or could do in a feasible amount of time. For quantum researchers, instances of quantum supremacy proven are rather like Pieces of Eight.\n[3] Decoherence is a form of quantum noise, quantum noise itself pertaining to an uncertainty of a physical quantity’s quantum origin and, therefore, its nature. As a discrete kind of quantum noise, decoherence concerns a disrupted wave function — qubits must remain in a consistent wave function (i.e. must remain coherent) in order to be computational intelligible.\n[4] That’s to say — an unduly worshipful approach to innovation-as-end-in-itself, which privileges disruption and excess as proof of concept, instead of innovation considered as a means to a practicable end.

", "url": "https://mayckongiovani.xyz/pensieve/quantum-computing", "title": "Why the 2020s Belong to Quantum Computing", "summary": "Why the 2020s Belong to Quantum Computing", "date_modified": "2020-01-13T00:00:00.000Z", "tags": [ "Quantum Computing 2020", "Science", "Technology" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2020-01-safety-liveness-catalog-a-practical-checklist-for-protocol-s", "content_html": "
\n

Monthly research note. Theme: Formal Methods & Verification.

\n
\n

TL;DR

\n

A focused memo on Safety/Liveness Catalog: A Practical Checklist for Protocol Specs: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

In temporal logic terms, the common shape is:

\n
SafetyInvLivenessProgress.\\mathrm{Safety} \\equiv \\Box\\,\\mathrm{Inv}\\qquad\\qquad\n\\mathrm{Liveness} \\equiv \\Box\\Diamond\\,\\mathrm{Progress}.SafetyInvLiveness□◊Progress.
\n

Treat counterexamples as regression tests: reduce, encode, and replay.

\n

Keep the model small enough to run in seconds; large models rot.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  props[\"Properties\"] --> inv[\"Invariants\"]\n  inv --> model[\"Model\"]\n  model --> cex[\"Counterexamples\"]\n  cex --> tests[\"Regression Tests\"]\n  tests --> model
\n

Implementation notes

\n

Keep refinement boundaries explicit: what the spec promises vs what code enforces.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Workflow:\n1) Write a model with a few state variables.\n2) State invariants (safety) and progress conditions (liveness).\n3) Run model checker with tight bounds.\n4) Minimize counterexamples into test cases.\n5) Iterate until failures are boring.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2020-01-safety-liveness-catalog-a-practical-checklist-for-protocol-s", "title": "Safety/Liveness Catalog: A Practical Checklist for Protocol Specs", "summary": "Adversarial-first deep dive (January 2020): Safety/Liveness Catalog: A Practical Checklist for Protocol Specs.", "date_modified": "2020-01-01T00:00:00.000Z", "tags": [ "research-notes", "formal-methods", "verification", "protocol-design", "correctness" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-12-validator-ops-key-security-slashing-and-fault-containment", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on Validator Ops: Key Security, Slashing, and Fault Containment: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

State commitments bind execution to succinct proofs:

\n
roott+1=H(roott, blockt, witnesst).\\mathrm{root}_{t+1} = H(\\mathrm{root}_t,\\ \\mathrm{block}_t,\\ \\mathrm{witness}_t).roott+1=H(roott, blockt, witnesst).
\n

Treat reorgs as a user-visible security event; encode reorg-aware semantics.

\n

Explicitly model upgrade boundaries: old rules vs new rules during transition.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Determinism is a boundary: every nondeterministic input is an attack surface.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Mempool hardening checklist:\n- Per-peer rate limits + global admission budget\n- Duplicate detection and eviction policy\n- Signature verification batching with caps\n- Anti-DoS: bounded decode/parse cost\n- Fairness: per-sender quotas (avoid hot-account starvation)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-12-validator-ops-key-security-slashing-and-fault-containment", "title": "Validator Ops: Key Security, Slashing, and Fault Containment", "summary": "Design memo (December 2019): Validator Ops: Key Security, Slashing, and Fault Containment.", "date_modified": "2019-12-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-11-rust-node-architecture-storage-networking-and-deterministic-", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on Rust Node Architecture: Storage, Networking, and Deterministic Execution: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A ledger is a replicated state machine. Safety is uniqueness of finalized history:

\n
h1,h2: Final(h1)Final(h2)h1h2  h2h1.\\forall h_1,h_2:\\ \\mathrm{Final}(h_1)\\wedge \\mathrm{Final}(h_2)\\Rightarrow h_1 \\preceq h_2 \\ \\vee\\ h_2 \\preceq h_1.h1,h2: Final(h1)Final(h2)h1h2  h2h1.
\n

Model the mempool as an adversarial scheduler: it chooses which work gets executed.

\n

Treat reorgs as a user-visible security event; encode reorg-aware semantics.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Encode resource accounting and limits early; retrofits are painful.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Mempool hardening checklist:\n- Per-peer rate limits + global admission budget\n- Duplicate detection and eviction policy\n- Signature verification batching with caps\n- Anti-DoS: bounded decode/parse cost\n- Fairness: per-sender quotas (avoid hot-account starvation)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-11-rust-node-architecture-storage-networking-and-deterministic-", "title": "Rust Node Architecture: Storage, Networking, and Deterministic Execution", "summary": "Adversarial-first deep dive (November 2019): Rust Node Architecture: Storage, Networking, and Deterministic Execution.", "date_modified": "2019-11-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-10-formalizing-a-blockchain-protocol-properties-worth-proving", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

Formalizing a Blockchain Protocol: Properties Worth Proving as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A simple resource-admission constraint:

\n
txBcost(tx)budget(B)(gas/bytes/sigchecks).\\sum_{tx \\in B} \\mathrm{cost}(tx) \\le \\mathrm{budget}(B)\\qquad\\text{(gas/bytes/sigchecks)}.txBcost(tx)budget(B)(gas/bytes/sigchecks).
\n

Model the mempool as an adversarial scheduler: it chooses which work gets executed.

\n

Treat reorgs as a user-visible security event; encode reorg-aware semantics.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant U as User\n  participant N as Node\n  participant P as Peers\n  U->>N: submit(tx)\n  N->>P: gossip(tx)\n  P-->>N: gossip(more tx)\n  Note over N: admission + ordering\n  N-->>U: inclusion/finality signal
\n

Implementation notes

\n

Treat mempool policy as part of the protocol if it changes security outcomes.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Mempool hardening checklist:\n- Per-peer rate limits + global admission budget\n- Duplicate detection and eviction policy\n- Signature verification batching with caps\n- Anti-DoS: bounded decode/parse cost\n- Fairness: per-sender quotas (avoid hot-account starvation)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-10-formalizing-a-blockchain-protocol-properties-worth-proving", "title": "Formalizing a Blockchain Protocol: Properties Worth Proving", "summary": "Engineering notebook entry (October 2019): Formalizing a Blockchain Protocol: Properties Worth Proving.", "date_modified": "2019-10-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-09-zk-in-protocols-proof-systems-as-network-primitives", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on ZK in Protocols: Proof Systems as Network Primitives: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A ledger is a replicated state machine. Safety is uniqueness of finalized history:

\n
h1,h2: Final(h1)Final(h2)h1h2  h2h1.\\forall h_1,h_2:\\ \\mathrm{Final}(h_1)\\wedge \\mathrm{Final}(h_2)\\Rightarrow h_1 \\preceq h_2 \\ \\vee\\ h_2 \\preceq h_1.h1,h2: Final(h1)Final(h2)h1h2  h2h1.
\n

Explicitly model upgrade boundaries: old rules vs new rules during transition.

\n

Treat reorgs as a user-visible security event; encode reorg-aware semantics.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Encode resource accounting and limits early; retrofits are painful.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Mempool hardening checklist:\n- Per-peer rate limits + global admission budget\n- Duplicate detection and eviction policy\n- Signature verification batching with caps\n- Anti-DoS: bounded decode/parse cost\n- Fairness: per-sender quotas (avoid hot-account starvation)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-09-zk-in-protocols-proof-systems-as-network-primitives", "title": "ZK in Protocols: Proof Systems as Network Primitives", "summary": "Spec-driven research note (September 2019): ZK in Protocols: Proof Systems as Network Primitives.", "date_modified": "2019-09-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-08-bridges-where-trust-comes-back-to-collect", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on Bridges: Where Trust Comes Back to Collect: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

State commitments bind execution to succinct proofs:

\n
roott+1=H(roott, blockt, witnesst).\\mathrm{root}_{t+1} = H(\\mathrm{root}_t,\\ \\mathrm{block}_t,\\ \\mathrm{witness}_t).roott+1=H(roott, blockt, witnesst).
\n

Separate consensus safety from execution safety; both must hold.

\n

Model the mempool as an adversarial scheduler: it chooses which work gets executed.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Treat mempool policy as part of the protocol if it changes security outcomes.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Deterministic execution is a security boundary.\npub trait Executor {\n  fn apply_block(&mut self, block: &[u8]) -> Result<(), String>;\n  fn state_root(&self) -> [u8; 32];\n}\n\n// Avoid nondeterminism: time, RNG, unordered maps, floating-point.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-08-bridges-where-trust-comes-back-to-collect", "title": "Bridges: Where Trust Comes Back to Collect", "summary": "Spec-driven research note (August 2019): Bridges: Where Trust Comes Back to Collect.", "date_modified": "2019-08-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-07-fee-markets-and-mev-incentives-as-an-adversary", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on Fee Markets and MEV: Incentives as an Adversary: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A simple resource-admission constraint:

\n
txBcost(tx)budget(B)(gas/bytes/sigchecks).\\sum_{tx \\in B} \\mathrm{cost}(tx) \\le \\mathrm{budget}(B)\\qquad\\text{(gas/bytes/sigchecks)}.txBcost(tx)budget(B)(gas/bytes/sigchecks).
\n

Model the mempool as an adversarial scheduler: it chooses which work gets executed.

\n

Explicitly model upgrade boundaries: old rules vs new rules during transition.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Treat mempool policy as part of the protocol if it changes security outcomes.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Mempool hardening checklist:\n- Per-peer rate limits + global admission budget\n- Duplicate detection and eviction policy\n- Signature verification batching with caps\n- Anti-DoS: bounded decode/parse cost\n- Fairness: per-sender quotas (avoid hot-account starvation)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-07-fee-markets-and-mev-incentives-as-an-adversary", "title": "Fee Markets and MEV: Incentives as an Adversary", "summary": "Adversarial-first deep dive (July 2019): Fee Markets and MEV: Incentives as an Adversary.", "date_modified": "2019-07-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-06-state-commitments-merkle-verkle-and-proof-sizes", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

State Commitments: Merkle, Verkle, and Proof Sizes as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A simple resource-admission constraint:

\n
txBcost(tx)budget(B)(gas/bytes/sigchecks).\\sum_{tx \\in B} \\mathrm{cost}(tx) \\le \\mathrm{budget}(B)\\qquad\\text{(gas/bytes/sigchecks)}.txBcost(tx)budget(B)(gas/bytes/sigchecks).
\n

Separate consensus safety from execution safety; both must hold.

\n

Treat reorgs as a user-visible security event; encode reorg-aware semantics.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Encode resource accounting and limits early; retrofits are painful.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Deterministic execution is a security boundary.\npub trait Executor {\n  fn apply_block(&mut self, block: &[u8]) -> Result<(), String>;\n  fn state_root(&self) -> [u8; 32];\n}\n\n// Avoid nondeterminism: time, RNG, unordered maps, floating-point.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-06-state-commitments-merkle-verkle-and-proof-sizes", "title": "State Commitments: Merkle, Verkle, and Proof Sizes", "summary": "Correctness-focused deep dive (June 2019): State Commitments: Merkle, Verkle, and Proof Sizes.", "date_modified": "2019-06-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-05-light-clients-trust-minimization-without-full-replication", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

Light Clients: Trust Minimization Without Full Replication as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A ledger is a replicated state machine. Safety is uniqueness of finalized history:

\n
h1,h2: Final(h1)Final(h2)h1h2  h2h1.\\forall h_1,h_2:\\ \\mathrm{Final}(h_1)\\wedge \\mathrm{Final}(h_2)\\Rightarrow h_1 \\preceq h_2 \\ \\vee\\ h_2 \\preceq h_1.h1,h2: Final(h1)Final(h2)h1h2  h2h1.
\n

Model the mempool as an adversarial scheduler: it chooses which work gets executed.

\n

Explicitly model upgrade boundaries: old rules vs new rules during transition.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Determinism is a boundary: every nondeterministic input is an attack surface.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Deterministic execution is a security boundary.\npub trait Executor {\n  fn apply_block(&mut self, block: &[u8]) -> Result<(), String>;\n  fn state_root(&self) -> [u8; 32];\n}\n\n// Avoid nondeterminism: time, RNG, unordered maps, floating-point.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-05-light-clients-trust-minimization-without-full-replication", "title": "Light Clients: Trust Minimization Without Full Replication", "summary": "Threat-model-first analysis (May 2019): Light Clients: Trust Minimization Without Full Replication.", "date_modified": "2019-05-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-04-finality-and-reorgs-what-users-think-vs-what-protocols-provi", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

Finality and Reorgs: What Users Think vs What Protocols Provide as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A ledger is a replicated state machine. Safety is uniqueness of finalized history:

\n
h1,h2: Final(h1)Final(h2)h1h2  h2h1.\\forall h_1,h_2:\\ \\mathrm{Final}(h_1)\\wedge \\mathrm{Final}(h_2)\\Rightarrow h_1 \\preceq h_2 \\ \\vee\\ h_2 \\preceq h_1.h1,h2: Final(h1)Final(h2)h1h2  h2h1.
\n

Model the mempool as an adversarial scheduler: it chooses which work gets executed.

\n

Explicitly model upgrade boundaries: old rules vs new rules during transition.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant U as User\n  participant N as Node\n  participant P as Peers\n  U->>N: submit(tx)\n  N->>P: gossip(tx)\n  P-->>N: gossip(more tx)\n  Note over N: admission + ordering\n  N-->>U: inclusion/finality signal
\n

Implementation notes

\n

Encode resource accounting and limits early; retrofits are painful.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Mempool hardening checklist:\n- Per-peer rate limits + global admission budget\n- Duplicate detection and eviction policy\n- Signature verification batching with caps\n- Anti-DoS: bounded decode/parse cost\n- Fairness: per-sender quotas (avoid hot-account starvation)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-04-finality-and-reorgs-what-users-think-vs-what-protocols-provi", "title": "Finality and Reorgs: What Users Think vs What Protocols Provide", "summary": "Engineering notebook entry (April 2019): Finality and Reorgs: What Users Think vs What Protocols Provide.", "date_modified": "2019-04-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-03-gossip-networks-propagation-eclipse-attacks-and-topology", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on Gossip Networks: Propagation, Eclipse Attacks, and Topology: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A simple resource-admission constraint:

\n
txBcost(tx)budget(B)(gas/bytes/sigchecks).\\sum_{tx \\in B} \\mathrm{cost}(tx) \\le \\mathrm{budget}(B)\\qquad\\text{(gas/bytes/sigchecks)}.txBcost(tx)budget(B)(gas/bytes/sigchecks).
\n

Treat reorgs as a user-visible security event; encode reorg-aware semantics.

\n

Separate consensus safety from execution safety; both must hold.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant U as User\n  participant N as Node\n  participant P as Peers\n  U->>N: submit(tx)\n  N->>P: gossip(tx)\n  P-->>N: gossip(more tx)\n  Note over N: admission + ordering\n  N-->>U: inclusion/finality signal
\n

Implementation notes

\n

Determinism is a boundary: every nondeterministic input is an attack surface.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Deterministic execution is a security boundary.\npub trait Executor {\n  fn apply_block(&mut self, block: &[u8]) -> Result<(), String>;\n  fn state_root(&self) -> [u8; 32];\n}\n\n// Avoid nondeterminism: time, RNG, unordered maps, floating-point.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-03-gossip-networks-propagation-eclipse-attacks-and-topology", "title": "Gossip Networks: Propagation, Eclipse Attacks, and Topology", "summary": "Adversarial-first deep dive (March 2019): Gossip Networks: Propagation, Eclipse Attacks, and Topology.", "date_modified": "2019-03-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-02-mempool-design-under-adversarial-load-admission-fees-and-spa", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on Mempool Design Under Adversarial Load: Admission, Fees, and Spam: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

State commitments bind execution to succinct proofs:

\n
roott+1=H(roott, blockt, witnesst).\\mathrm{root}_{t+1} = H(\\mathrm{root}_t,\\ \\mathrm{block}_t,\\ \\mathrm{witness}_t).roott+1=H(roott, blockt, witnesst).
\n

Separate consensus safety from execution safety; both must hold.

\n

Explicitly model upgrade boundaries: old rules vs new rules during transition.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Treat mempool policy as part of the protocol if it changes security outcomes.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Mempool hardening checklist:\n- Per-peer rate limits + global admission budget\n- Duplicate detection and eviction policy\n- Signature verification batching with caps\n- Anti-DoS: bounded decode/parse cost\n- Fairness: per-sender quotas (avoid hot-account starvation)
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-02-mempool-design-under-adversarial-load-admission-fees-and-spa", "title": "Mempool Design Under Adversarial Load: Admission, Fees, and Spam", "summary": "Adversarial-first deep dive (February 2019): Mempool Design Under Adversarial Load: Admission, Fees, and Spam.", "date_modified": "2019-02-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2019-01-the-ledger-as-a-state-machine-execution-determinism-and-repr", "content_html": "
\n

Monthly research note. Theme: Blockchain Protocols.

\n
\n

TL;DR

\n

A focused memo on The Ledger as a State Machine: Execution, Determinism, and Reproducibility: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A ledger is a replicated state machine. Safety is uniqueness of finalized history:

\n
h1,h2: Final(h1)Final(h2)h1h2  h2h1.\\forall h_1,h_2:\\ \\mathrm{Final}(h_1)\\wedge \\mathrm{Final}(h_2)\\Rightarrow h_1 \\preceq h_2 \\ \\vee\\ h_2 \\preceq h_1.h1,h2: Final(h1)Final(h2)h1h2  h2h1.
\n

Explicitly model upgrade boundaries: old rules vs new rules during transition.

\n

Treat reorgs as a user-visible security event; encode reorg-aware semantics.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  tx[\"Transaction\"] --> mp[\"Mempool (admission + prioritization)\"]\n  mp --> prop[\"Block Proposal\"]\n  prop --> cons[\"Consensus / Finality\"]\n  cons --> exec[\"Deterministic Execution\"]\n  exec --> root[\"State Root Commitment\"]
\n

Implementation notes

\n

Determinism is a boundary: every nondeterministic input is an attack surface.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
// Deterministic execution is a security boundary.\npub trait Executor {\n  fn apply_block(&mut self, block: &[u8]) -> Result<(), String>;\n  fn state_root(&self) -> [u8; 32];\n}\n\n// Avoid nondeterminism: time, RNG, unordered maps, floating-point.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2019-01-the-ledger-as-a-state-machine-execution-determinism-and-repr", "title": "The Ledger as a State Machine: Execution, Determinism, and Reproducibility", "summary": "Adversarial-first deep dive (January 2019): The Ledger as a State Machine: Execution, Determinism, and Reproducibility.", "date_modified": "2019-01-01T00:00:00.000Z", "tags": [ "research-notes", "blockchain-protocols", "distributed-systems", "cryptography", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-12-incident-response-for-crypto-systems-key-compromise-playbook", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

Incident Response for Crypto Systems: Key Compromise Playbooks as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Audit integrity is a cryptographic property:

\n
log_entrySignkaudit(hash(event)  metadata).\\mathrm{log\\_entry} \\leftarrow \\mathrm{Sign}_{k_\\text{audit}}(\\mathrm{hash}(\\text{event})\\ \\Vert\\ \\text{metadata}).log_entrySignkaudit(hash(event)  metadata).
\n

Audit logs are evidence. Make them tamper-evident and operationally accessible.

\n

Treat key identifiers as capabilities with purpose constraints—enforce in code and policy.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Never pass secrets around; pass handles with purpose constraints.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
#[derive(Clone, Copy, Debug)]\npub enum Purpose { Tls, Jwt, Firmware, Ledger }\n\npub struct KeyHandle { id: String, purpose: Purpose }\n\n// Enforce purpose and algorithm policy at the boundary, not in the caller.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-12-incident-response-for-crypto-systems-key-compromise-playbook", "title": "Incident Response for Crypto Systems: Key Compromise Playbooks", "summary": "Correctness-focused deep dive (December 2018): Incident Response for Crypto Systems: Key Compromise Playbooks.", "date_modified": "2018-12-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-11-kms-hsm-threat-models-when-managed-doesnt-mean-safe", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

KMS/HSM Threat Models: When 'Managed' Doesn't Mean 'Safe' as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Audit integrity is a cryptographic property:

\n
log_entrySignkaudit(hash(event)  metadata).\\mathrm{log\\_entry} \\leftarrow \\mathrm{Sign}_{k_\\text{audit}}(\\mathrm{hash}(\\text{event})\\ \\Vert\\ \\text{metadata}).log_entrySignkaudit(hash(event)  metadata).
\n

Assume compromise and design for recovery: rotation, revocation, and forensics.

\n

Treat key identifiers as capabilities with purpose constraints—enforce in code and policy.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Make policy explicit and enforce it in the narrowest component possible.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
#[derive(Clone, Copy, Debug)]\npub enum Purpose { Tls, Jwt, Firmware, Ledger }\n\npub struct KeyHandle { id: String, purpose: Purpose }\n\n// Enforce purpose and algorithm policy at the boundary, not in the caller.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-11-kms-hsm-threat-models-when-managed-doesnt-mean-safe", "title": "KMS/HSM Threat Models: When 'Managed' Doesn't Mean 'Safe'", "summary": "Correctness-focused deep dive (November 2018): KMS/HSM Threat Models: When 'Managed' Doesn't Mean 'Safe'.", "date_modified": "2018-11-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-10-multi-tenant-isolation-crypto-boundaries-vs-kernel-boundarie", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

A focused memo on Multi-Tenant Isolation: Crypto Boundaries vs Kernel Boundaries: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A practical safety statement for key usage is least authority:

\n
capability(key, purpose)¬use(key, other purpose).\\text{capability}(\\text{key},\\ \\text{purpose}) \\Rightarrow \\neg \\text{use}(\\text{key},\\ \\text{other purpose}).capability(key, purpose)¬use(key, other purpose).
\n

Audit logs are evidence. Make them tamper-evident and operationally accessible.

\n

Treat key identifiers as capabilities with purpose constraints—enforce in code and policy.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Make policy explicit and enforce it in the narrowest component possible.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Capability-style API: callers get a handle scoped to purpose + TTL.\ntype KeyPurpose string\ntype KeyHandle struct {\n  ID string\n  Purpose KeyPurpose\n  ExpiresAtUnix int64\n}\n\ntype Signer interface {\n  Sign(h KeyHandle, msg []byte) (sig []byte, err error)\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-10-multi-tenant-isolation-crypto-boundaries-vs-kernel-boundarie", "title": "Multi-Tenant Isolation: Crypto Boundaries vs Kernel Boundaries", "summary": "Spec-driven research note (October 2018): Multi-Tenant Isolation: Crypto Boundaries vs Kernel Boundaries.", "date_modified": "2018-10-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-09-cryptographic-agility-designing-for-the-algorithm-you-havent", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

Cryptographic Agility: Designing for the Algorithm You Haven't Met Yet as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Key derivation is where protocols quietly succeed or fail. A sane default is domain-separated HKDF:

\n
kHKDF(salt, ikm, info=context).k \\leftarrow \\mathrm{HKDF}(\\text{salt},\\ \\text{ikm},\\ \\text{info}=\\text{context}).kHKDF(salt, ikm, info=context).
\n

Bind every derived key to context: protocol, role, version, and transcript.

\n

Audit logs are evidence. Make them tamper-evident and operationally accessible.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  policy[\"Policy (purpose + TTL)\"] --> service[\"Signer Service\"]\n  service --> hsm[\"HSM/KMS\"]\n  service --> audit[\"Audit Stream\"]\n  audit --> siem[\"Detection/Response\"]
\n

Implementation notes

\n

Never pass secrets around; pass handles with purpose constraints.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Capability-style API: callers get a handle scoped to purpose + TTL.\ntype KeyPurpose string\ntype KeyHandle struct {\n  ID string\n  Purpose KeyPurpose\n  ExpiresAtUnix int64\n}\n\ntype Signer interface {\n  Sign(h KeyHandle, msg []byte) (sig []byte, err error)\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-09-cryptographic-agility-designing-for-the-algorithm-you-havent", "title": "Cryptographic Agility: Designing for the Algorithm You Haven't Met Yet", "summary": "Threat-model-first analysis (September 2018): Cryptographic Agility: Designing for the Algorithm You Haven't Met Yet.", "date_modified": "2018-09-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-08-logging-for-forensics-tamper-evident-event-pipelines", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

A focused memo on Logging for Forensics: Tamper Evident Event Pipelines: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A practical safety statement for key usage is least authority:

\n
capability(key, purpose)¬use(key, other purpose).\\text{capability}(\\text{key},\\ \\text{purpose}) \\Rightarrow \\neg \\text{use}(\\text{key},\\ \\text{other purpose}).capability(key, purpose)¬use(key, other purpose).
\n

Assume compromise and design for recovery: rotation, revocation, and forensics.

\n

Bind every derived key to context: protocol, role, version, and transcript.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart LR\n  policy[\"Policy (purpose + TTL)\"] --> service[\"Signer Service\"]\n  service --> hsm[\"HSM/KMS\"]\n  service --> audit[\"Audit Stream\"]\n  audit --> siem[\"Detection/Response\"]
\n

Implementation notes

\n

Never pass secrets around; pass handles with purpose constraints.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
#[derive(Clone, Copy, Debug)]\npub enum Purpose { Tls, Jwt, Firmware, Ledger }\n\npub struct KeyHandle { id: String, purpose: Purpose }\n\n// Enforce purpose and algorithm policy at the boundary, not in the caller.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-08-logging-for-forensics-tamper-evident-event-pipelines", "title": "Logging for Forensics: Tamper Evident Event Pipelines", "summary": "Adversarial-first deep dive (August 2018): Logging for Forensics: Tamper Evident Event Pipelines.", "date_modified": "2018-08-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-07-tls-beyond-defaults-ciphersuites-alpn-and-operational-realit", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

A focused memo on TLS Beyond Defaults: Ciphersuites, ALPN, and Operational Reality: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A practical safety statement for key usage is least authority:

\n
capability(key, purpose)¬use(key, other purpose).\\text{capability}(\\text{key},\\ \\text{purpose}) \\Rightarrow \\neg \\text{use}(\\text{key},\\ \\text{other purpose}).capability(key, purpose)¬use(key, other purpose).
\n

Treat key identifiers as capabilities with purpose constraints—enforce in code and policy.

\n

Assume compromise and design for recovery: rotation, revocation, and forensics.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Never pass secrets around; pass handles with purpose constraints.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
#[derive(Clone, Copy, Debug)]\npub enum Purpose { Tls, Jwt, Firmware, Ledger }\n\npub struct KeyHandle { id: String, purpose: Purpose }\n\n// Enforce purpose and algorithm policy at the boundary, not in the caller.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-07-tls-beyond-defaults-ciphersuites-alpn-and-operational-realit", "title": "TLS Beyond Defaults: Ciphersuites, ALPN, and Operational Reality", "summary": "Spec-driven research note (July 2018): TLS Beyond Defaults: Ciphersuites, ALPN, and Operational Reality.", "date_modified": "2018-07-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-06-secure-firmware-updates-signed-manifests-and-rollback-protec", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

A focused memo on Secure Firmware Updates: Signed Manifests and Rollback Protection: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Audit integrity is a cryptographic property:

\n
log_entrySignkaudit(hash(event)  metadata).\\mathrm{log\\_entry} \\leftarrow \\mathrm{Sign}_{k_\\text{audit}}(\\mathrm{hash}(\\text{event})\\ \\Vert\\ \\text{metadata}).log_entrySignkaudit(hash(event)  metadata).
\n

Treat key identifiers as capabilities with purpose constraints—enforce in code and policy.

\n

Bind every derived key to context: protocol, role, version, and transcript.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Crypto infra is a product: UX, policy, audit, and rollback must compose.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
#[derive(Clone, Copy, Debug)]\npub enum Purpose { Tls, Jwt, Firmware, Ledger }\n\npub struct KeyHandle { id: String, purpose: Purpose }\n\n// Enforce purpose and algorithm policy at the boundary, not in the caller.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
\n
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-06-secure-firmware-updates-signed-manifests-and-rollback-protec", "title": "Secure Firmware Updates: Signed Manifests and Rollback Protection", "summary": "Spec-driven research note (June 2018): Secure Firmware Updates: Signed Manifests and Rollback Protection.", "date_modified": "2018-06-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-05-side-channels-constant-time-cache-attacks-and-real-threat-mo", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

A focused memo on Side Channels: Constant-Time, Cache Attacks, and Real Threat Models: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Key derivation is where protocols quietly succeed or fail. A sane default is domain-separated HKDF:

\n
kHKDF(salt, ikm, info=context).k \\leftarrow \\mathrm{HKDF}(\\text{salt},\\ \\text{ikm},\\ \\text{info}=\\text{context}).kHKDF(salt, ikm, info=context).
\n

Assume compromise and design for recovery: rotation, revocation, and forensics.

\n

Bind every derived key to context: protocol, role, version, and transcript.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart LR\n  policy[\"Policy (purpose + TTL)\"] --> service[\"Signer Service\"]\n  service --> hsm[\"HSM/KMS\"]\n  service --> audit[\"Audit Stream\"]\n  audit --> siem[\"Detection/Response\"]
\n

Implementation notes

\n

Crypto infra is a product: UX, policy, audit, and rollback must compose.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
#[derive(Clone, Copy, Debug)]\npub enum Purpose { Tls, Jwt, Firmware, Ledger }\n\npub struct KeyHandle { id: String, purpose: Purpose }\n\n// Enforce purpose and algorithm policy at the boundary, not in the caller.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-05-side-channels-constant-time-cache-attacks-and-real-threat-mo", "title": "Side Channels: Constant-Time, Cache Attacks, and Real Threat Models", "summary": "Adversarial-first deep dive (May 2018): Side Channels: Constant-Time, Cache Attacks, and Real Threat Models.", "date_modified": "2018-05-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-04-hardware-roots-of-trust-tpm-secure-boot-and-attestation", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

Hardware Roots of Trust: TPM, Secure Boot, and Attestation as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

Key derivation is where protocols quietly succeed or fail. A sane default is domain-separated HKDF:

\n
kHKDF(salt, ikm, info=context).k \\leftarrow \\mathrm{HKDF}(\\text{salt},\\ \\text{ikm},\\ \\text{info}=\\text{context}).kHKDF(salt, ikm, info=context).
\n

Audit logs are evidence. Make them tamper-evident and operationally accessible.

\n

Bind every derived key to context: protocol, role, version, and transcript.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Crypto infra is a product: UX, policy, audit, and rollback must compose.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Capability-style API: callers get a handle scoped to purpose + TTL.\ntype KeyPurpose string\ntype KeyHandle struct {\n  ID string\n  Purpose KeyPurpose\n  ExpiresAtUnix int64\n}\n\ntype Signer interface {\n  Sign(h KeyHandle, msg []byte) (sig []byte, err error)\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Krawczyk H, Eronen P. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [Internet]. RFC Editor; 2010. Report No.: 5869. Available from: https://www.rfc-editor.org/rfc/rfc5869
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-04-hardware-roots-of-trust-tpm-secure-boot-and-attestation", "title": "Hardware Roots of Trust: TPM, Secure Boot, and Attestation", "summary": "Correctness-focused deep dive (April 2018): Hardware Roots of Trust: TPM, Secure Boot, and Attestation.", "date_modified": "2018-04-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-03-secrets-vs-capabilities-token-design-in-microservices", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

A focused memo on Secrets vs Capabilities: Token Design in Microservices: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A practical safety statement for key usage is least authority:

\n
capability(key, purpose)¬use(key, other purpose).\\text{capability}(\\text{key},\\ \\text{purpose}) \\Rightarrow \\neg \\text{use}(\\text{key},\\ \\text{other purpose}).capability(key, purpose)¬use(key, other purpose).
\n

Assume compromise and design for recovery: rotation, revocation, and forensics.

\n

Bind every derived key to context: protocol, role, version, and transcript.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Crypto infra is a product: UX, policy, audit, and rollback must compose.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
// Capability-style API: callers get a handle scoped to purpose + TTL.\ntype KeyPurpose string\ntype KeyHandle struct {\n  ID string\n  Purpose KeyPurpose\n  ExpiresAtUnix int64\n}\n\ntype Signer interface {\n  Sign(h KeyHandle, msg []byte) (sig []byte, err error)\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
\n
2.
Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3 [Internet]. RFC Editor; 2018. Report No.: 8446. Available from: https://www.rfc-editor.org/rfc/rfc8446
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-03-secrets-vs-capabilities-token-design-in-microservices", "title": "Secrets vs Capabilities: Token Design in Microservices", "summary": "Design memo (March 2018): Secrets vs Capabilities: Token Design in Microservices.", "date_modified": "2018-03-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-02-key-management-at-scale-rotation-audit-and-blast-radius", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

A focused memo on Key Management at Scale: Rotation, Audit, and Blast Radius: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

Audit integrity is a cryptographic property:

\n
log_entrySignkaudit(hash(event)  metadata).\\mathrm{log\\_entry} \\leftarrow \\mathrm{Sign}_{k_\\text{audit}}(\\mathrm{hash}(\\text{event})\\ \\Vert\\ \\text{metadata}).log_entrySignkaudit(hash(event)  metadata).
\n

Treat key identifiers as capabilities with purpose constraints—enforce in code and policy.

\n

Audit logs are evidence. Make them tamper-evident and operationally accessible.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart LR\n  policy[\"Policy (purpose + TTL)\"] --> service[\"Signer Service\"]\n  service --> hsm[\"HSM/KMS\"]\n  service --> audit[\"Audit Stream\"]\n  audit --> siem[\"Detection/Response\"]
\n

Implementation notes

\n

Make policy explicit and enforce it in the narrowest component possible.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
// Capability-style API: callers get a handle scoped to purpose + TTL.\ntype KeyPurpose string\ntype KeyHandle struct {\n  ID string\n  Purpose KeyPurpose\n  ExpiresAtUnix int64\n}\n\ntype Signer interface {\n  Sign(h KeyHandle, msg []byte) (sig []byte, err error)\n}
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-02-key-management-at-scale-rotation-audit-and-blast-radius", "title": "Key Management at Scale: Rotation, Audit, and Blast Radius", "summary": "Spec-driven research note (February 2018): Key Management at Scale: Rotation, Audit, and Blast Radius.", "date_modified": "2018-02-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2018-01-pki-as-an-operating-system-certificates-policies-and-expirat", "content_html": "
\n

Monthly research note. Theme: Cryptographic Infrastructure.

\n
\n

TL;DR

\n

PKI as an Operating System: Certificates, Policies, and Expiration as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

Audit integrity is a cryptographic property:

\n
log_entrySignkaudit(hash(event)  metadata).\\mathrm{log\\_entry} \\leftarrow \\mathrm{Sign}_{k_\\text{audit}}(\\mathrm{hash}(\\text{event})\\ \\Vert\\ \\text{metadata}).log_entrySignkaudit(hash(event)  metadata).
\n

Audit logs are evidence. Make them tamper-evident and operationally accessible.

\n

Assume compromise and design for recovery: rotation, revocation, and forensics.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  gen[\"KeyGen (HSM/KMS)\"] --> use[\"Use (TLS/VPN/Signing)\"]\n  use --> rot[\"Rotate (policy + automation)\"]\n  rot --> revoke[\"Revoke (incident)\"]\n  revoke --> audit[\"Audit/Forensics\"]\n  audit --> gen
\n

Implementation notes

\n

Crypto infra is a product: UX, policy, audit, and rollback must compose.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
#[derive(Clone, Copy, Debug)]\npub enum Purpose { Tls, Jwt, Firmware, Ledger }\n\npub struct KeyHandle { id: String, purpose: Purpose }\n\n// Enforce purpose and algorithm policy at the boundary, not in the caller.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2018-01-pki-as-an-operating-system-certificates-policies-and-expirat", "title": "PKI as an Operating System: Certificates, Policies, and Expiration", "summary": "Correctness-focused deep dive (January 2018): PKI as an Operating System: Certificates, Policies, and Expiration.", "date_modified": "2018-01-01T00:00:00.000Z", "tags": [ "research-notes", "cryptography", "security", "security-critical-infrastructure", "DevSecOps" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-12-a-minimal-tla-workflow-for-distributed-protocols", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on A Minimal TLA+ Workflow for Distributed Protocols: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

For quorum-based protocols, the intersection property is the backbone of safety:

\n
Crash-fault: Q>n2Byzantine: n3f+1, Q2f+1.\\text{Crash-fault: } |Q| > \\frac{n}{2}\\qquad\\qquad\n\\text{Byzantine: } n \\ge 3f+1,\\ |Q| \\ge 2f+1.Crash-fault: Q>2nByzantine: n3f+1, Q2f+1.
\n

Treat membership changes as protocol events, not control-plane side effects.

\n

Write down the safety property first. If it’s not written, it’s not implemented.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant C as Client\n  participant L as Leader\n  participant F1 as Follower 1\n  participant F2 as Follower 2\n  C->>L: propose(cmd)\n  L->>F1: appendEntries\n  L->>F2: appendEntries\n  F1-->>L: ack\n  F2-->>L: ack\n  L-->>C: commit(result)
\n

Implementation notes

\n

Your protocol is an interface between failures and invariants. Encode both.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-12-a-minimal-tla-workflow-for-distributed-protocols", "title": "A Minimal TLA+ Workflow for Distributed Protocols", "summary": "Spec-driven research note (December 2017): A Minimal TLA+ Workflow for Distributed Protocols.", "date_modified": "2017-12-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-11-designing-for-network-partitions-degraded-modes-that-still-m", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

Designing for Network Partitions: Degraded Modes That Still Make Sense as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

Under partial synchrony, progress depends on a stabilizing period:

\n
T: tT, messages delivered within Δ.\\exists T:\\ \\forall t \\ge T,\\ \\text{messages delivered within } \\Delta.T: tT, messages delivered within Δ.
\n

Make overload explicit: admission control is a protocol boundary.

\n

Write down the safety property first. If it’s not written, it’s not implemented.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant C as Client\n  participant L as Leader\n  participant F1 as Follower 1\n  participant F2 as Follower 2\n  C->>L: propose(cmd)\n  L->>F1: appendEntries\n  L->>F2: appendEntries\n  F1-->>L: ack\n  F2-->>L: ack\n  L-->>C: commit(result)
\n

Implementation notes

\n

Protocols fail at the boundaries: timeouts, membership, compaction, and overload.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-11-designing-for-network-partitions-degraded-modes-that-still-m", "title": "Designing for Network Partitions: Degraded Modes That Still Make Sense", "summary": "Engineering notebook entry (November 2017): Designing for Network Partitions: Degraded Modes That Still Make Sense.", "date_modified": "2017-11-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-10-rate-limiting-and-fairness-protecting-critical-paths", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on Rate Limiting and Fairness: Protecting Critical Paths: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A common safety shape for replicated logs:

\n
i: Committed(i)r: Logr[i]=Logleader[i].\\forall i:\\ \\text{Committed}(i)\\Rightarrow \\forall r:\\ \\text{Log}_r[i] = \\text{Log}_\\text{leader}[i].i: Committed(i)r: Logr[i]=Logleader[i].
\n

Liveness is always conditional: specify when progress is expected and what you do otherwise.

\n

Treat membership changes as protocol events, not control-plane side effects.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
stateDiagram-v2\n  [*] --> Follower\n  Follower --> Candidate: timeout\n  Candidate --> Leader: win quorum\n  Candidate --> Follower: lose\n  Leader --> Follower: stepdown
\n

Implementation notes

\n

Your protocol is an interface between failures and invariants. Encode both.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Ongaro D, Ousterhout J. In Search of an Understandable Consensus Algorithm (Raft). In: 2014 USENIX Annual Technical Conference (USENIX ATC 14) [Internet]. 2014. Available from: https://raft.github.io/raft.pdf
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-10-rate-limiting-and-fairness-protecting-critical-paths", "title": "Rate Limiting and Fairness: Protecting Critical Paths", "summary": "Design memo (October 2017): Rate Limiting and Fairness: Protecting Critical Paths.", "date_modified": "2017-10-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-09-queues-streams-exactly-once-semantics-without-lying-to-yours", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on Queues & Streams: Exactly-Once Semantics Without Lying to Yourself: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

For quorum-based protocols, the intersection property is the backbone of safety:

\n
Crash-fault: Q>n2Byzantine: n3f+1, Q2f+1.\\text{Crash-fault: } |Q| > \\frac{n}{2}\\qquad\\qquad\n\\text{Byzantine: } n \\ge 3f+1,\\ |Q| \\ge 2f+1.Crash-fault: Q>2nByzantine: n3f+1, Q2f+1.
\n

Make overload explicit: admission control is a protocol boundary.

\n

Treat membership changes as protocol events, not control-plane side effects.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
stateDiagram-v2\n  [*] --> Follower\n  Follower --> Candidate: timeout\n  Candidate --> Leader: win quorum\n  Candidate --> Follower: lose\n  Leader --> Follower: stepdown
\n

Implementation notes

\n

Make the state machine explicit; then make persistence and networking boring.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
type LogIndex = u64;\n\n#[derive(Clone, Debug)]\nstruct Entry {\n  index: LogIndex,\n  term: u64,\n  bytes: Vec<u8>,\n}\n\n// Persist(term, vote, log) before acknowledging anything.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-09-queues-streams-exactly-once-semantics-without-lying-to-yours", "title": "Queues & Streams: Exactly-Once Semantics Without Lying to Yourself", "summary": "Design memo (September 2017): Queues & Streams: Exactly-Once Semantics Without Lying to Yourself.", "date_modified": "2017-09-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-08-geo-replication-latency-budgets-and-cross-region-failure-mod", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

Geo-Replication: Latency Budgets and Cross-Region Failure Modes as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

For quorum-based protocols, the intersection property is the backbone of safety:

\n
Crash-fault: Q>n2Byzantine: n3f+1, Q2f+1.\\text{Crash-fault: } |Q| > \\frac{n}{2}\\qquad\\qquad\n\\text{Byzantine: } n \\ge 3f+1,\\ |Q| \\ge 2f+1.Crash-fault: Q>2nByzantine: n3f+1, Q2f+1.
\n

Treat membership changes as protocol events, not control-plane side effects.

\n

Write down the safety property first. If it’s not written, it’s not implemented.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant C as Client\n  participant L as Leader\n  participant F1 as Follower 1\n  participant F2 as Follower 2\n  C->>L: propose(cmd)\n  L->>F1: appendEntries\n  L->>F2: appendEntries\n  F1-->>L: ack\n  F2-->>L: ack\n  L-->>C: commit(result)
\n

Implementation notes

\n

Protocols fail at the boundaries: timeouts, membership, compaction, and overload.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-08-geo-replication-latency-budgets-and-cross-region-failure-mod", "title": "Geo-Replication: Latency Budgets and Cross-Region Failure Modes", "summary": "Threat-model-first analysis (August 2017): Geo-Replication: Latency Budgets and Cross-Region Failure Modes.", "date_modified": "2017-08-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-07-gossip-epidemic-dissemination-fast-probabilistic-and-weird", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

Gossip & Epidemic Dissemination: Fast, Probabilistic, and Weird as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A common safety shape for replicated logs:

\n
i: Committed(i)r: Logr[i]=Logleader[i].\\forall i:\\ \\text{Committed}(i)\\Rightarrow \\forall r:\\ \\text{Log}_r[i] = \\text{Log}_\\text{leader}[i].i: Committed(i)r: Logr[i]=Logleader[i].
\n

Treat membership changes as protocol events, not control-plane side effects.

\n

Liveness is always conditional: specify when progress is expected and what you do otherwise.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
stateDiagram-v2\n  [*] --> Follower\n  Follower --> Candidate: timeout\n  Candidate --> Leader: win quorum\n  Candidate --> Follower: lose\n  Leader --> Follower: stepdown
\n

Implementation notes

\n

Protocols fail at the boundaries: timeouts, membership, compaction, and overload.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-07-gossip-epidemic-dissemination-fast-probabilistic-and-weird", "title": "Gossip & Epidemic Dissemination: Fast, Probabilistic, and Weird", "summary": "Threat-model-first analysis (July 2017): Gossip & Epidemic Dissemination: Fast, Probabilistic, and Weird.", "date_modified": "2017-07-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-06-transactions-2pc-3pc-and-coordinators-you-cant-trust", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on Transactions: 2PC, 3PC, and Coordinators You Can't Trust: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

A common safety shape for replicated logs:

\n
i: Committed(i)r: Logr[i]=Logleader[i].\\forall i:\\ \\text{Committed}(i)\\Rightarrow \\forall r:\\ \\text{Log}_r[i] = \\text{Log}_\\text{leader}[i].i: Committed(i)r: Logr[i]=Logleader[i].
\n

Write down the safety property first. If it’s not written, it’s not implemented.

\n

Liveness is always conditional: specify when progress is expected and what you do otherwise.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  client[\"Client\"] --> leader[\"Leader\"]\n  leader --> log[\"Replicated Log\"]\n  log --> snap[\"Snapshot\"]\n  snap --> recover[\"Recovery / Catch-up\"]\n  leader --> reconfig[\"Reconfiguration\"]
\n

Implementation notes

\n

Make the state machine explicit; then make persistence and networking boring.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
Ongaro D, Ousterhout J. In Search of an Understandable Consensus Algorithm (Raft). In: 2014 USENIX Annual Technical Conference (USENIX ATC 14) [Internet]. 2014. Available from: https://raft.github.io/raft.pdf
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-06-transactions-2pc-3pc-and-coordinators-you-cant-trust", "title": "Transactions: 2PC, 3PC, and Coordinators You Can't Trust", "summary": "Design memo (June 2017): Transactions: 2PC, 3PC, and Coordinators You Can't Trust.", "date_modified": "2017-06-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-05-consistency-models-linearizability-serializability-and-what-", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on Consistency Models: Linearizability, Serializability, and What You Actually Need: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A common safety shape for replicated logs:

\n
i: Committed(i)r: Logr[i]=Logleader[i].\\forall i:\\ \\text{Committed}(i)\\Rightarrow \\forall r:\\ \\text{Log}_r[i] = \\text{Log}_\\text{leader}[i].i: Committed(i)r: Logr[i]=Logleader[i].
\n

Write down the safety property first. If it’s not written, it’s not implemented.

\n

Treat membership changes as protocol events, not control-plane side effects.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant C as Client\n  participant L as Leader\n  participant F1 as Follower 1\n  participant F2 as Follower 2\n  C->>L: propose(cmd)\n  L->>F1: appendEntries\n  L->>F2: appendEntries\n  F1-->>L: ack\n  F2-->>L: ack\n  L-->>C: commit(result)
\n

Implementation notes

\n

Your protocol is an interface between failures and invariants. Encode both.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
type LogIndex = u64;\n\n#[derive(Clone, Debug)]\nstruct Entry {\n  index: LogIndex,\n  term: u64,\n  bytes: Vec<u8>,\n}\n\n// Persist(term, vote, log) before acknowledging anything.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-05-consistency-models-linearizability-serializability-and-what-", "title": "Consistency Models: Linearizability, Serializability, and What You Actually Need", "summary": "Design memo (May 2017): Consistency Models: Linearizability, Serializability, and What You Actually Need.", "date_modified": "2017-05-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-04-membership-reconfiguration-changing-the-set-without-breaking", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on Membership & Reconfiguration: Changing the Set Without Breaking Safety: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A common safety shape for replicated logs:

\n
i: Committed(i)r: Logr[i]=Logleader[i].\\forall i:\\ \\text{Committed}(i)\\Rightarrow \\forall r:\\ \\text{Log}_r[i] = \\text{Log}_\\text{leader}[i].i: Committed(i)r: Logr[i]=Logleader[i].
\n

Treat membership changes as protocol events, not control-plane side effects.

\n

Make overload explicit: admission control is a protocol boundary.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  client[\"Client\"] --> leader[\"Leader\"]\n  leader --> log[\"Replicated Log\"]\n  log --> snap[\"Snapshot\"]\n  snap --> recover[\"Recovery / Catch-up\"]\n  leader --> reconfig[\"Reconfiguration\"]
\n

Implementation notes

\n

Your protocol is an interface between failures and invariants. Encode both.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
type LogIndex = u64;\n\n#[derive(Clone, Debug)]\nstruct Entry {\n  index: LogIndex,\n  term: u64,\n  bytes: Vec<u8>,\n}\n\n// Persist(term, vote, log) before acknowledging anything.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Ongaro D, Ousterhout J. In Search of an Understandable Consensus Algorithm (Raft). In: 2014 USENIX Annual Technical Conference (USENIX ATC 14) [Internet]. 2014. Available from: https://raft.github.io/raft.pdf
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-04-membership-reconfiguration-changing-the-set-without-breaking", "title": "Membership & Reconfiguration: Changing the Set Without Breaking Safety", "summary": "Adversarial-first deep dive (April 2017): Membership & Reconfiguration: Changing the Set Without Breaking Safety.", "date_modified": "2017-04-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-03-bft-from-first-principles-safety-liveness-and-quorums", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on BFT from First Principles: Safety, Liveness, and Quorums: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

For quorum-based protocols, the intersection property is the backbone of safety:

\n
Crash-fault: Q>n2Byzantine: n3f+1, Q2f+1.\\text{Crash-fault: } |Q| > \\frac{n}{2}\\qquad\\qquad\n\\text{Byzantine: } n \\ge 3f+1,\\ |Q| \\ge 2f+1.Crash-fault: Q>2nByzantine: n3f+1, Q2f+1.
\n

Write down the safety property first. If it’s not written, it’s not implemented.

\n

Make overload explicit: admission control is a protocol boundary.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  client[\"Client\"] --> leader[\"Leader\"]\n  leader --> log[\"Replicated Log\"]\n  log --> snap[\"Snapshot\"]\n  snap --> recover[\"Recovery / Catch-up\"]\n  leader --> reconfig[\"Reconfiguration\"]
\n

Implementation notes

\n

Make the state machine explicit; then make persistence and networking boring.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-03-bft-from-first-principles-safety-liveness-and-quorums", "title": "BFT from First Principles: Safety, Liveness, and Quorums", "summary": "Adversarial-first deep dive (March 2017): BFT from First Principles: Safety, Liveness, and Quorums.", "date_modified": "2017-03-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-02-consensus-under-partial-synchrony-from-paxos-to-raft", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

Consensus Under Partial Synchrony: From Paxos to Raft as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

For quorum-based protocols, the intersection property is the backbone of safety:

\n
Crash-fault: Q>n2Byzantine: n3f+1, Q2f+1.\\text{Crash-fault: } |Q| > \\frac{n}{2}\\qquad\\qquad\n\\text{Byzantine: } n \\ge 3f+1,\\ |Q| \\ge 2f+1.Crash-fault: Q>2nByzantine: n3f+1, Q2f+1.
\n

Liveness is always conditional: specify when progress is expected and what you do otherwise.

\n

Write down the safety property first. If it’s not written, it’s not implemented.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant C as Client\n  participant L as Leader\n  participant F1 as Follower 1\n  participant F2 as Follower 2\n  C->>L: propose(cmd)\n  L->>F1: appendEntries\n  L->>F2: appendEntries\n  F1-->>L: ack\n  F2-->>L: ack\n  L-->>C: commit(result)
\n

Implementation notes

\n

Your protocol is an interface between failures and invariants. Encode both.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-02-consensus-under-partial-synchrony-from-paxos-to-raft", "title": "Consensus Under Partial Synchrony: From Paxos to Raft", "summary": "Correctness-focused deep dive (February 2017): Consensus Under Partial Synchrony: From Paxos to Raft.", "date_modified": "2017-02-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2017-01-state-machine-replication-log-design-snapshots-and-compactio", "content_html": "
\n

Monthly research note. Theme: Distributed Systems Under Failure.

\n
\n

TL;DR

\n

A focused memo on State Machine Replication: Log Design, Snapshots, and Compaction: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A common safety shape for replicated logs:

\n
i: Committed(i)r: Logr[i]=Logleader[i].\\forall i:\\ \\text{Committed}(i)\\Rightarrow \\forall r:\\ \\text{Log}_r[i] = \\text{Log}_\\text{leader}[i].i: Committed(i)r: Logr[i]=Logleader[i].
\n

Liveness is always conditional: specify when progress is expected and what you do otherwise.

\n

Treat membership changes as protocol events, not control-plane side effects.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
flowchart TD\n  client[\"Client\"] --> leader[\"Leader\"]\n  leader --> log[\"Replicated Log\"]\n  log --> snap[\"Snapshot\"]\n  snap --> recover[\"Recovery / Catch-up\"]\n  leader --> reconfig[\"Reconfiguration\"]
\n

Implementation notes

\n

Your protocol is an interface between failures and invariants. Encode both.

\n
\n
Rule of thumb
\n

If you can’t explain a timeout outcome, you can’t make retries safe.

\n
\n
Operational invariants to monitor:\n- leader_changes_per_minute\n- commit_index_monotonic\n- snapshot_install_failures\n- quorum_acks_latency_p99\n- rejected_requests_due_to_admission_control
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2017-01-state-machine-replication-log-design-snapshots-and-compactio", "title": "State Machine Replication: Log Design, Snapshots, and Compaction", "summary": "Adversarial-first deep dive (January 2017): State Machine Replication: Log Design, Snapshots, and Compaction.", "date_modified": "2017-01-01T00:00:00.000Z", "tags": [ "research-notes", "distributed-systems", "protocol-design", "resilience", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-12-security-vs-reliability-when-the-same-bug-has-two-names", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

Security vs Reliability: When the Same Bug Has Two Names as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

We want a transition function δ\\deltaδ and invariant Inv\\mathrm{Inv}Inv such that:

\n
st+1=δ(st,et)Inv(st)Inv(st+1).s_{t+1} = \\delta(s_t, e_t)\\qquad\\wedge\\qquad \\mathrm{Inv}(s_t)\\Rightarrow \\mathrm{Inv}(s_{t+1}).st+1=δ(st,et)Inv(st)Inv(st+1).
\n

If you can’t define what a timeout means, you can’t implement retries safely. Make ambiguity explicit in the API.

\n

Crash points matter: define what happens if the process stops after each line that mutates state or acknowledges work.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  input[\"Input\"] --> parse[\"Parse/Validate\"]\n  parse --> decide[\"Decide (pure)\"]\n  decide --> write[\"Durable write\"]\n  write --> ack[\"Acknowledge\"]\n  ack --> obs[\"Emit evidence (logs/metrics)\"]
\n

Implementation notes

\n

The goal isn’t cleverness—it’s eliminating ambiguity at boundaries and making recovery boring.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Idempotency sketch: reserve -> execute -> commit result (or return cached).\ntype Key string\n\ntype Store interface {\n  Get(key Key) (value []byte, ok bool, err error)\n  PutIfAbsent(key Key, value []byte) (stored bool, err error)\n}\n\n// Security vs Reliability: When the Same Bug Has Two Names: \"timeout\" must not mean \"try again and maybe double-apply\".
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
\n
2.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-12-security-vs-reliability-when-the-same-bug-has-two-names", "title": "Security vs Reliability: When the Same Bug Has Two Names", "summary": "Correctness-focused deep dive (December 2016): Security vs Reliability: When the Same Bug Has Two Names.", "date_modified": "2016-12-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-11-reproducible-builds-trusting-artifacts-in-a-hostile-world", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

Reproducible Builds: Trusting Artifacts in a Hostile World as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

For idempotent operations, the contract is set-like:

\n
apply(s,op,k)=apply(s,op,k)andapply(s,op,k1)apply(s,op,k2) in general.\\mathrm{apply}(s, op, k) = \\mathrm{apply}(s, op, k) \\quad\\text{and}\\quad\n\\mathrm{apply}(s, op, k_1) \\neq \\mathrm{apply}(s, op, k_2)\\ \\text{in general}.apply(s,op,k)=apply(s,op,k)andapply(s,op,k1)=apply(s,op,k2) in general.
\n

Treat invariants as a first-class interface: a function that cannot check its invariants cannot be safely composed. Start with the smallest invariant that is both meaningful and enforceable at your boundaries.

\n

Avoid “ghost state” in caches that can’t be recomputed or validated. Derived state must be either reproducible or explicitly reconciled.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  input[\"Input\"] --> parse[\"Parse/Validate\"]\n  parse --> decide[\"Decide (pure)\"]\n  decide --> write[\"Durable write\"]\n  write --> ack[\"Acknowledge\"]\n  ack --> obs[\"Emit evidence (logs/metrics)\"]
\n

Implementation notes

\n

Correctness lives in the seams: encoding, persistence, concurrency, and retries.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
use core::fmt;\n\n#[derive(Clone, Debug)]\npub enum Event {\n    Input(Vec<u8>),\n    Tick,\n    Fault(&'static str),\n}\n\npub trait StateMachine {\n    type State: Clone + fmt::Debug;\n    type Error: fmt::Debug;\n\n    fn step(state: &Self::State, event: Event) -> Result<Self::State, Self::Error>;\n    fn invariant(state: &Self::State) -> bool;\n}\n\n// Reproducible Builds: Trusting Artifacts in a Hostile World: invariants are part of the API contract.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Fielding RT, Nottingham M, Reschke J. HTTP Semantics [Internet]. RFC Editor; 2022. Report No.: 9110. Available from: https://www.rfc-editor.org/rfc/rfc9110
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-11-reproducible-builds-trusting-artifacts-in-a-hostile-world", "title": "Reproducible Builds: Trusting Artifacts in a Hostile World", "summary": "Threat-model-first analysis (November 2016): Reproducible Builds: Trusting Artifacts in a Hostile World.", "date_modified": "2016-11-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-10-observability-as-specification-slos-error-budgets-and-contra", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

A focused memo on Observability as Specification: SLOs, Error Budgets, and Contracts: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

A common pattern is splitting state into durable vs derived:

\n
S=Sdurable×SderivedandSderived=f(Sdurable).S = S_\\text{durable} \\times S_\\text{derived}\\qquad\\text{and}\\qquad S_\\text{derived} = f(S_\\text{durable}).S=Sdurable×SderivedandSderived=f(Sdurable).
\n

Prefer monotonic identifiers at boundaries (sequence numbers, epochs, version vectors) so that replays are detectable and order can be reasoned about.

\n

Avoid “ghost state” in caches that can’t be recomputed or validated. Derived state must be either reproducible or explicitly reconciled.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  input[\"Input\"] --> parse[\"Parse/Validate\"]\n  parse --> decide[\"Decide (pure)\"]\n  decide --> write[\"Durable write\"]\n  write --> ack[\"Acknowledge\"]\n  ack --> obs[\"Emit evidence (logs/metrics)\"]
\n

Implementation notes

\n

The goal isn’t cleverness—it’s eliminating ambiguity at boundaries and making recovery boring.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
use core::fmt;\n\n#[derive(Clone, Debug)]\npub enum Event {\n    Input(Vec<u8>),\n    Tick,\n    Fault(&'static str),\n}\n\npub trait StateMachine {\n    type State: Clone + fmt::Debug;\n    type Error: fmt::Debug;\n\n    fn step(state: &Self::State, event: Event) -> Result<Self::State, Self::Error>;\n    fn invariant(state: &Self::State) -> bool;\n}\n\n// Observability as Specification: SLOs, Error Budgets, and Contracts: invariants are part of the API contract.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Fielding RT, Nottingham M, Reschke J. HTTP Semantics [Internet]. RFC Editor; 2022. Report No.: 9110. Available from: https://www.rfc-editor.org/rfc/rfc9110
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-10-observability-as-specification-slos-error-budgets-and-contra", "title": "Observability as Specification: SLOs, Error Budgets, and Contracts", "summary": "Design memo (October 2016): Observability as Specification: SLOs, Error Budgets, and Contracts.", "date_modified": "2016-10-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-09-fault-injection-turning-unknown-unknowns-into-test-cases", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

A focused memo on Fault Injection: Turning Unknown Unknowns into Test Cases: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

A common pattern is splitting state into durable vs derived:

\n
S=Sdurable×SderivedandSderived=f(Sdurable).S = S_\\text{durable} \\times S_\\text{derived}\\qquad\\text{and}\\qquad S_\\text{derived} = f(S_\\text{durable}).S=Sdurable×SderivedandSderived=f(Sdurable).
\n

Crash points matter: define what happens if the process stops after each line that mutates state or acknowledges work.

\n

Avoid “ghost state” in caches that can’t be recomputed or validated. Derived state must be either reproducible or explicitly reconciled.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
stateDiagram-v2\n  [*] --> Init\n  Init --> Ready: bootstrap()\n  Ready --> Processing: event(e)\n  Processing --> Ready: commit()\n  Processing --> Error: violate(Inv)\n  Error --> Ready: recover()
\n

Implementation notes

\n

The goal isn’t cleverness—it’s eliminating ambiguity at boundaries and making recovery boring.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
use core::fmt;\n\n#[derive(Clone, Debug)]\npub enum Event {\n    Input(Vec<u8>),\n    Tick,\n    Fault(&'static str),\n}\n\npub trait StateMachine {\n    type State: Clone + fmt::Debug;\n    type Error: fmt::Debug;\n\n    fn step(state: &Self::State, event: Event) -> Result<Self::State, Self::Error>;\n    fn invariant(state: &Self::State) -> bool;\n}\n\n// Fault Injection: Turning Unknown Unknowns into Test Cases: invariants are part of the API contract.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Fielding RT, Nottingham M, Reschke J. HTTP Semantics [Internet]. RFC Editor; 2022. Report No.: 9110. Available from: https://www.rfc-editor.org/rfc/rfc9110
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-09-fault-injection-turning-unknown-unknowns-into-test-cases", "title": "Fault Injection: Turning Unknown Unknowns into Test Cases", "summary": "Spec-driven research note (September 2016): Fault Injection: Turning Unknown Unknowns into Test Cases.", "date_modified": "2016-09-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-08-memory-models-and-concurrency-reasoning-about-races", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

Memory Models and Concurrency: Reasoning About Races as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

We want a transition function δ\\deltaδ and invariant Inv\\mathrm{Inv}Inv such that:

\n
st+1=δ(st,et)Inv(st)Inv(st+1).s_{t+1} = \\delta(s_t, e_t)\\qquad\\wedge\\qquad \\mathrm{Inv}(s_t)\\Rightarrow \\mathrm{Inv}(s_{t+1}).st+1=δ(st,et)Inv(st)Inv(st+1).
\n

Avoid “ghost state” in caches that can’t be recomputed or validated. Derived state must be either reproducible or explicitly reconciled.

\n

If you can’t define what a timeout means, you can’t implement retries safely. Make ambiguity explicit in the API.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant C as Client\n  participant API as API\n  participant DB as Durable Store\n  C->>API: request(op, idempotency_key)\n  API->>DB: check_or_reserve(key)\n  DB-->>API: miss | hit(result)\n  API->>DB: commit(result)\n  API-->>C: ack(result)
\n

Implementation notes

\n

Correctness lives in the seams: encoding, persistence, concurrency, and retries.

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Correctness checklist:\n1) Define state (durable vs derived).\n2) Enumerate transitions.\n3) Write invariants (safety) and progress conditions (liveness).\n4) Pick crash points and specify recovery.\n5) Make retries part of semantics (idempotency keys, monotonic versions).
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
LearnTLA. Learn TLA+ [Internet]. Web; Available from: https://learntla.com/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-08-memory-models-and-concurrency-reasoning-about-races", "title": "Memory Models and Concurrency: Reasoning About Races", "summary": "Threat-model-first analysis (August 2016): Memory Models and Concurrency: Reasoning About Races.", "date_modified": "2016-08-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-07-crash-consistency-durable-state-without-mysticism", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

Crash Consistency: Durable State Without Mysticism as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Most failures are boundary failures: parsing, persistence, concurrency, retries, and upgrades.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

For idempotent operations, the contract is set-like:

\n
apply(s,op,k)=apply(s,op,k)andapply(s,op,k1)apply(s,op,k2) in general.\\mathrm{apply}(s, op, k) = \\mathrm{apply}(s, op, k) \\quad\\text{and}\\quad\n\\mathrm{apply}(s, op, k_1) \\neq \\mathrm{apply}(s, op, k_2)\\ \\text{in general}.apply(s,op,k)=apply(s,op,k)andapply(s,op,k1)=apply(s,op,k2) in general.
\n

Prefer monotonic identifiers at boundaries (sequence numbers, epochs, version vectors) so that replays are detectable and order can be reasoned about.

\n

Crash points matter: define what happens if the process stops after each line that mutates state or acknowledges work.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
flowchart TD\n  input[\"Input\"] --> parse[\"Parse/Validate\"]\n  parse --> decide[\"Decide (pure)\"]\n  decide --> write[\"Durable write\"]\n  write --> ack[\"Acknowledge\"]\n  ack --> obs[\"Emit evidence (logs/metrics)\"]
\n

Implementation notes

\n

Implementation is the act of making invalid state unrepresentable (or at least unignorable).

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
use core::fmt;\n\n#[derive(Clone, Debug)]\npub enum Event {\n    Input(Vec<u8>),\n    Tick,\n    Fault(&'static str),\n}\n\npub trait StateMachine {\n    type State: Clone + fmt::Debug;\n    type Error: fmt::Debug;\n\n    fn step(state: &Self::State, event: Event) -> Result<Self::State, Self::Error>;\n    fn invariant(state: &Self::State) -> bool;\n}\n\n// Crash Consistency: Durable State Without Mysticism: invariants are part of the API contract.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Design playbooks as protocols: predictable steps, bounded risk, and clear ownership.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
\n
2.
Fielding RT, Nottingham M, Reschke J. HTTP Semantics [Internet]. RFC Editor; 2022. Report No.: 9110. Available from: https://www.rfc-editor.org/rfc/rfc9110
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-07-crash-consistency-durable-state-without-mysticism", "title": "Crash Consistency: Durable State Without Mysticism", "summary": "Engineering notebook entry (July 2016): Crash Consistency: Durable State Without Mysticism.", "date_modified": "2016-07-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-06-cryptographic-hygiene-domain-separation-kdfs-and-context-bin", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

Cryptographic Hygiene: Domain Separation, KDFs, and Context Binding as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Observability pipelines can be attacked (cardinality explosions, log injection). Protect them.

\n
\n

Model & invariants

\n

We want a transition function δ\\deltaδ and invariant Inv\\mathrm{Inv}Inv such that:

\n
st+1=δ(st,et)Inv(st)Inv(st+1).s_{t+1} = \\delta(s_t, e_t)\\qquad\\wedge\\qquad \\mathrm{Inv}(s_t)\\Rightarrow \\mathrm{Inv}(s_{t+1}).st+1=δ(st,et)Inv(st)Inv(st+1).
\n

Treat invariants as a first-class interface: a function that cannot check its invariants cannot be safely composed. Start with the smallest invariant that is both meaningful and enforceable at your boundaries.

\n

Prefer monotonic identifiers at boundaries (sequence numbers, epochs, version vectors) so that replays are detectable and order can be reasoned about.

\n
\n
Invariant
\n

Make the “impossible state” observable: a metric or alert that fires when invariants drift.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

A recovery plan that isn’t exercised will fail when you need it.

\n
\n

Design sketch

\n
flowchart TD\n  input[\"Input\"] --> parse[\"Parse/Validate\"]\n  parse --> decide[\"Decide (pure)\"]\n  decide --> write[\"Durable write\"]\n  write --> ack[\"Acknowledge\"]\n  ack --> obs[\"Emit evidence (logs/metrics)\"]
\n

Implementation notes

\n

Implementation is the act of making invalid state unrepresentable (or at least unignorable).

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
Correctness checklist:\n1) Define state (durable vs derived).\n2) Enumerate transitions.\n3) Write invariants (safety) and progress conditions (liveness).\n4) Pick crash points and specify recovery.\n5) Make retries part of semantics (idempotency keys, monotonic versions).
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-06-cryptographic-hygiene-domain-separation-kdfs-and-context-bin", "title": "Cryptographic Hygiene: Domain Separation, KDFs, and Context Binding", "summary": "Threat-model-first analysis (June 2016): Cryptographic Hygiene: Domain Separation, KDFs, and Context Binding.", "date_modified": "2016-06-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-05-threat-modeling-for-engineers-assumptions-as-interfaces", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

Threat Modeling for Engineers: Assumptions as Interfaces as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A common pattern is splitting state into durable vs derived:

\n
S=Sdurable×SderivedandSderived=f(Sdurable).S = S_\\text{durable} \\times S_\\text{derived}\\qquad\\text{and}\\qquad S_\\text{derived} = f(S_\\text{durable}).S=Sdurable×SderivedandSderived=f(Sdurable).
\n

Prefer monotonic identifiers at boundaries (sequence numbers, epochs, version vectors) so that replays are detectable and order can be reasoned about.

\n

Treat invariants as a first-class interface: a function that cannot check its invariants cannot be safely composed. Start with the smallest invariant that is both meaningful and enforceable at your boundaries.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  input[\"Input\"] --> parse[\"Parse/Validate\"]\n  parse --> decide[\"Decide (pure)\"]\n  decide --> write[\"Durable write\"]\n  write --> ack[\"Acknowledge\"]\n  ack --> obs[\"Emit evidence (logs/metrics)\"]
\n

Implementation notes

\n

Implementation is the act of making invalid state unrepresentable (or at least unignorable).

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Idempotency sketch: reserve -> execute -> commit result (or return cached).\ntype Key string\n\ntype Store interface {\n  Get(key Key) (value []byte, ok bool, err error)\n  PutIfAbsent(key Key, value []byte) (stored bool, err error)\n}\n\n// Threat Modeling for Engineers: Assumptions as Interfaces: \"timeout\" must not mean \"try again and maybe double-apply\".
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Make degraded modes explicit: fail closed vs fail open is a policy choice.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Fielding RT, Nottingham M, Reschke J. HTTP Semantics [Internet]. RFC Editor; 2022. Report No.: 9110. Available from: https://www.rfc-editor.org/rfc/rfc9110
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-05-threat-modeling-for-engineers-assumptions-as-interfaces", "title": "Threat Modeling for Engineers: Assumptions as Interfaces", "summary": "Correctness-focused deep dive (May 2016): Threat Modeling for Engineers: Assumptions as Interfaces.", "date_modified": "2016-05-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-04-time-is-a-lie-clocks-causality-and-ordering", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

A focused memo on Time Is a Lie: Clocks, Causality, and Ordering: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A common pattern is splitting state into durable vs derived:

\n
S=Sdurable×SderivedandSderived=f(Sdurable).S = S_\\text{durable} \\times S_\\text{derived}\\qquad\\text{and}\\qquad S_\\text{derived} = f(S_\\text{durable}).S=Sdurable×SderivedandSderived=f(Sdurable).
\n

If you can’t define what a timeout means, you can’t implement retries safely. Make ambiguity explicit in the API.

\n

Crash points matter: define what happens if the process stops after each line that mutates state or acknowledges work.

\n
\n
Invariant
\n

If the system can enter an invalid state, it eventually will—usually during an incident.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Sampling hides the rare schedule that breaks your invariants.

\n
\n

Design sketch

\n
stateDiagram-v2\n  [*] --> Init\n  Init --> Ready: bootstrap()\n  Ready --> Processing: event(e)\n  Processing --> Ready: commit()\n  Processing --> Error: violate(Inv)\n  Error --> Ready: recover()
\n

Implementation notes

\n

Treat every boundary (RPC, DB, queue, cache) as a semantic interface with explicit contracts.

\n
\n
Rule of thumb
\n

Acknowledge only after durability (or make “ack” explicitly best-effort).

\n
\n
use core::fmt;\n\n#[derive(Clone, Debug)]\npub enum Event {\n    Input(Vec<u8>),\n    Tick,\n    Fault(&'static str),\n}\n\npub trait StateMachine {\n    type State: Clone + fmt::Debug;\n    type Error: fmt::Debug;\n\n    fn step(state: &Self::State, event: Event) -> Result<Self::State, Self::Error>;\n    fn invariant(state: &Self::State) -> bool;\n}\n\n// Time Is a Lie: Clocks, Causality, and Ordering: invariants are part of the API contract.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Kleppmann M. Designing Data-Intensive Applications [Internet]. O’Reilly Media; 2017. Available from: https://dataintensive.net/
\n
\n
\n
2.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-04-time-is-a-lie-clocks-causality-and-ordering", "title": "Time Is a Lie: Clocks, Causality, and Ordering", "summary": "Adversarial-first deep dive (April 2016): Time Is a Lie: Clocks, Causality, and Ordering.", "date_modified": "2016-04-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-03-backpressure-as-a-correctness-property-stability-under-load", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

A focused memo on Backpressure as a Correctness Property: Stability Under Load: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Correctness is cheaper to enforce at interfaces than to repair in production data.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Any unbounded work per request becomes a DoS primitive under adversaries.

\n
\n

Model & invariants

\n

We want a transition function δ\\deltaδ and invariant Inv\\mathrm{Inv}Inv such that:

\n
st+1=δ(st,et)Inv(st)Inv(st+1).s_{t+1} = \\delta(s_t, e_t)\\qquad\\wedge\\qquad \\mathrm{Inv}(s_t)\\Rightarrow \\mathrm{Inv}(s_{t+1}).st+1=δ(st,et)Inv(st)Inv(st+1).
\n

Crash points matter: define what happens if the process stops after each line that mutates state or acknowledges work.

\n

Avoid “ghost state” in caches that can’t be recomputed or validated. Derived state must be either reproducible or explicitly reconciled.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
sequenceDiagram\n  participant C as Client\n  participant API as API\n  participant DB as Durable Store\n  C->>API: request(op, idempotency_key)\n  API->>DB: check_or_reserve(key)\n  DB-->>API: miss | hit(result)\n  API->>DB: commit(result)\n  API-->>C: ack(result)
\n

Implementation notes

\n

The goal isn’t cleverness—it’s eliminating ambiguity at boundaries and making recovery boring.

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
use core::fmt;\n\n#[derive(Clone, Debug)]\npub enum Event {\n    Input(Vec<u8>),\n    Tick,\n    Fault(&'static str),\n}\n\npub trait StateMachine {\n    type State: Clone + fmt::Debug;\n    type Error: fmt::Debug;\n\n    fn step(state: &Self::State, event: Event) -> Result<Self::State, Self::Error>;\n    fn invariant(state: &Self::State) -> bool;\n}\n\n// Backpressure as a Correctness Property: Stability Under Load: invariants are part of the API contract.
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Keep audit and config history queryable during incidents—evidence beats intuition.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Jepsen. Jepsen: Distributed Systems Safety Analysis [Internet]. Web; Available from: https://jepsen.io/
\n
\n
\n
2.
Fielding RT, Nottingham M, Reschke J. HTTP Semantics [Internet]. RFC Editor; 2022. Report No.: 9110. Available from: https://www.rfc-editor.org/rfc/rfc9110
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-03-backpressure-as-a-correctness-property-stability-under-load", "title": "Backpressure as a Correctness Property: Stability Under Load", "summary": "Design memo (March 2016): Backpressure as a Correctness Property: Stability Under Load.", "date_modified": "2016-03-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-02-idempotency-everywhere-designing-safe-retries-in-distributed", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

Idempotency Everywhere: Designing Safe Retries in Distributed APIs as an engineering constraint: write down assumptions, make invariants executable, and design operational recovery as part of correctness.

\n
\n
Key insight
\n

If the spec is implicit, the implementation becomes the spec—and you’ll learn it during incidents.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Parsing is an attacker-controlled interface—validate early and fail fast.

\n
\n

Model & invariants

\n

A common pattern is splitting state into durable vs derived:

\n
S=Sdurable×SderivedandSderived=f(Sdurable).S = S_\\text{durable} \\times S_\\text{derived}\\qquad\\text{and}\\qquad S_\\text{derived} = f(S_\\text{durable}).S=Sdurable×SderivedandSderived=f(Sdurable).
\n

If you can’t define what a timeout means, you can’t implement retries safely. Make ambiguity explicit in the API.

\n

Avoid “ghost state” in caches that can’t be recomputed or validated. Derived state must be either reproducible or explicitly reconciled.

\n
\n
Invariant
\n

Invariants must be checkable from evidence you actually have (state + logs + counters).

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Mixed-version deployments create states you never tested—plan for them explicitly.

\n
\n

Design sketch

\n
stateDiagram-v2\n  [*] --> Init\n  Init --> Ready: bootstrap()\n  Ready --> Processing: event(e)\n  Processing --> Ready: commit()\n  Processing --> Error: violate(Inv)\n  Error --> Ready: recover()
\n

Implementation notes

\n

Implementation is the act of making invalid state unrepresentable (or at least unignorable).

\n
\n
Rule of thumb
\n

Make rollbacks boring: if rollback is a hero move, it will fail.

\n
\n
Correctness checklist:\n1) Define state (durable vs derived).\n2) Enumerate transitions.\n3) Write invariants (safety) and progress conditions (liveness).\n4) Pick crash points and specify recovery.\n5) Make retries part of semantics (idempotency keys, monotonic versions).
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
\n
2.
Fielding RT, Nottingham M, Reschke J. HTTP Semantics [Internet]. RFC Editor; 2022. Report No.: 9110. Available from: https://www.rfc-editor.org/rfc/rfc9110
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-02-idempotency-everywhere-designing-safe-retries-in-distributed", "title": "Idempotency Everywhere: Designing Safe Retries in Distributed APIs", "summary": "Correctness-focused deep dive (February 2016): Idempotency Everywhere: Designing Safe Retries in Distributed APIs.", "date_modified": "2016-02-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] }, { "id": "https://mayckongiovani.xyz/pensieve/2016-01-protocol-state-machines-invariants-events-and-recovery", "content_html": "
\n

Monthly research note. Theme: Correctness & Foundations.

\n
\n

TL;DR

\n

A focused memo on Protocol State Machines: Invariants, Events, and Recovery: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

\n
\n
Key insight
\n

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

\n
\n

Key takeaways

\n\n

Why this matters

\n\n

Key questions

\n\n

Assumptions

\n\n

Non-goals

\n\n
\n
Attack surface
\n

Negotiation and fallbacks are where security silently becomes optional—treat them as hostile.

\n
\n

Model & invariants

\n

We want a transition function δ\\deltaδ and invariant Inv\\mathrm{Inv}Inv such that:

\n
st+1=δ(st,et)Inv(st)Inv(st+1).s_{t+1} = \\delta(s_t, e_t)\\qquad\\wedge\\qquad \\mathrm{Inv}(s_t)\\Rightarrow \\mathrm{Inv}(s_{t+1}).st+1=δ(st,et)Inv(st)Inv(st+1).
\n

Avoid “ghost state” in caches that can’t be recomputed or validated. Derived state must be either reproducible or explicitly reconciled.

\n

Prefer monotonic identifiers at boundaries (sequence numbers, epochs, version vectors) so that replays are detectable and order can be reasoned about.

\n
\n
Invariant
\n

Monotonicity beats timestamps: counters and epochs survive clock skew.

\n
\n

Security properties

\n\n

Failure modes

\n\n
\n
Pitfall
\n

Caches tend to become sources of truth unless you can recompute and validate them.

\n
\n

Design sketch

\n
flowchart TD\n  input[\"Input\"] --> parse[\"Parse/Validate\"]\n  parse --> decide[\"Decide (pure)\"]\n  decide --> write[\"Durable write\"]\n  write --> ack[\"Acknowledge\"]\n  ack --> obs[\"Emit evidence (logs/metrics)\"]
\n

Implementation notes

\n

Implementation is the act of making invalid state unrepresentable (or at least unignorable).

\n
\n
Rule of thumb
\n

Bound work per request: parse, validate, and cap cost before you allocate heavy resources.

\n
\n
// Idempotency sketch: reserve -> execute -> commit result (or return cached).\ntype Key string\n\ntype Store interface {\n  Get(key Key) (value []byte, ok bool, err error)\n  PutIfAbsent(key Key, value []byte) (stored bool, err error)\n}\n\n// Protocol State Machines: Invariants, Events, and Recovery: \"timeout\" must not mean \"try again and maybe double-apply\".
\n

Verification strategy

\n\n

Operational notes

\n\n
\n
Operational note
\n

Attach explicit rollout/rollback triggers to changes that touch security or correctness.

\n
\n

What to monitor

\n\n

Rollback plan

\n\n

Evidence

\n\n

Open questions

\n\n

Checklist

\n\n

Further reading

\n
\n
\n
1.
Lamport L. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM [Internet]. 1978;21(7):558–65. Available from: https://lamport.azurewebsites.net/pubs/time-clocks.pdf
\n
\n
\n
2.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
\n
\n
", "url": "https://mayckongiovani.xyz/pensieve/2016-01-protocol-state-machines-invariants-events-and-recovery", "title": "Protocol State Machines: Invariants, Events, and Recovery", "summary": "Design memo (January 2016): Protocol State Machines: Invariants, Events, and Recovery.", "date_modified": "2016-01-01T00:00:00.000Z", "tags": [ "research-notes", "protocol-design", "correctness", "formal-methods", "Rust" ] } ] }