Remote Attestation for HDD Files Using Kernel Protection Mechanism

A remote attestation that measures files on a Hard Disk Drive (HDD) is important for intrusion detection on a data center server. When the server is infected by a rootkit, the kernel may reply with a faked response. Moreover, when a file measurement application or its result are manipulated, the measurement response is not reliable. A trusted platform module (TPM) that achieves a chain of trust from BIOS to kernel upon booting is proposed to provide the remote attestation. However, as the data center server is rarely rebooted, the TPM is ill suited for the file measurement of the running server. This paper proposes an on-demand remote attestation scheme for HDD files of the server.