On-the-fly attack recovery faces several unique
challenges. First, we need to do repair forwardly since the
assessment process may never stop. Second, cleaned data
objects could be re-damaged during attack recovery.
Finally, the attack recovery process may never terminate.
Since as the damaged objects are identified and cleaned
new transactions can spread damage if they read a damaged
but still unidentified object, so we face two critical
questions. (a) Will the attack recovery process terminate?
(b) If the attack recovery process terminates, can we detect
the termination?