Remote Attestation for HDD Files Using Kernel Protection Mechanism

A remote attestation that measures files on a hard disk drive (HDD) is important for intrusion detection on a data center server. When the server is infected by a rootkit or when a file measurement application is manipulated, the response of the kernel or the measurement application is not reliable. A trusted platform module (TPM) that achieves a chain of trust from BIOS to kernel upon booting is proposed to provide the remote attestation. However, as the data center server is rarely rebooted, the TPM is ill suited for file measurements of the running server. In this paper, we propose an on-demand remote attestation scheme for HDD files of the server. We designed and implemented a trust chain from the BIOS via the kernel and the file measurement application to the HDD files on a running server for secure integrity measurement. A memory virtualization technique is applied to guarantee the integrity of the running kernel, and the file measurement application is verified using a code signature. Also, we implement a mechanism that attaches the server's signature to a measurement result in a trusted kernel. Finally, our proposed scheme achieves a result whereby the remote verifier can measure the integrity of the server files securely at any time.