Replicated services are inherently vulnerable to failures and security breaches. In a long-running system, it is, therefore, indispensable to maintain a reconfiguration mechanism that would replace faulty replicas with correct ones. An important challenge is to enable reconfiguration without affecting the availability and consistency of the replicated data: the clients should be able to get correct service even when the set of service replicas is being updated. In this paper, we address the problem of reconfiguration in the presence of Byzantine failures: faulty replicas or clients may arbitrarily deviate from their expected behavior. We describe a generic technique for building asynchronous and Byzantine fault-tolerant reconfigurable objects: clients can manipulate the object data and issue reconfiguration calls without reaching consensus on the current configuration. With the help of forward-secure digital signatures, our solution makes sure that superseded and possibly compromised configurations are harmless, that slow clients cannot be fooled into reading stale data, and that Byzantine clients cannot cause a denial of service by flooding the system with reconfiguration requests. Our approach is modular and based on dynamic Byzantine lattice agreement abstraction, and we discuss how to extend it to enable Byzantine fault-tolerant implementations of a large class of reconfigurable replicated services.

复制的服务本质上容易受到故障和安全漏洞的影响。因此，在一个长期运行的系统中，维护一种重新配置机制是必不可少的，该机制将用正确的副本替换错误的副本。一个重要的挑战是在不影响复制数据的可用性和一致性的情况下启用重新配置：即使服务副本集正在更新，客户端也应该能够获得正确的服务。在本文中，我们解决了存在拜占庭故障时的重新配置问题：故障副本或客户端可能会任意偏离其预期行为。我们描述了一种用于构建异步和拜占庭容错的通用技术可重新配置的对象：客户端可以操纵对象数据并发出重新配置调用，而无需就当前配置达成共识。在前向安全数字签名的帮助下，我们的解决方案确保被取代和可能受损的配置是无害的，慢速客户端不会被愚弄读取陈旧数据，并且拜占庭客户端不会通过重新配置淹没系统而导致拒绝服务要求。我们的方法是模块化的，并且基于动态拜占庭格协议抽象，并且我们讨论了如何扩展它以启用一大类可重构复制服务的拜占庭容错实现。