On Thu, Oct 05, 2006 at 08:34:05AM -0400, Thor Lancelot Simon wrote:
> On Thu, Oct 05, 2006 at 05:30:05AM -0700, Chuck Silvers wrote:
> > 
> > like I explained in earlier mail, page-checking stuff shouldn't be called
> > from getpages but rather from the aiodone code.  not only does that avoid
> > any problems like this but it also makes it easier to check pages only when
> > they're brought into memory the first time and not on later page-faults.
> 
> But veriexec _must_ check them on later page faults, or an adversary can
> switch them out from underneath it and it becomes worthless (consider an
> executable backed by NFS storage.  The per-page code in veriexec is
> explicitly intended to address this failure with other executable
> verification systems).

if a file is changed on an NFS server, the existing cached page on the
NFS client is freed and a new page is allocated to hold the new file data.
the new page will thus be checked again.  even if the same page were somehow
reused, the point where it needs to be checked is when the page is initialized
by reading from the NFS server, not when the page is found in the client's
cache, and the aiodone path is a more appropriate place to do that.

-Chuck