On Thu, Oct 05, 2006 at 05:30:05AM -0700, Chuck Silvers wrote:
> 
> like I explained in earlier mail, page-checking stuff shouldn't be called
> from getpages but rather from the aiodone code.  not only does that avoid
> any problems like this but it also makes it easier to check pages only when
> they're brought into memory the first time and not on later page-faults.

But veriexec _must_ check them on later page faults, or an adversary can
switch them out from underneath it and it becomes worthless (consider an
executable backed by NFS storage.  The per-page code in veriexec is
explicitly intended to address this failure with other executable
verification systems).

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart