Security is an important problem for any compute platform having data that resides in storage. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system (OS) functionality or other applications. Rootkit drivers modify the data that is made available to all applications and the OS. Malware threats are growing at exponential rate. Malware (e.g., low level malware like rootkits) is getting stealthier and is attacking the host (personal computer) system stack far below the protection provided by anti-virus/anti-malware (AV/AM) approaches. Once low level malware has infected the system, a state of the system as seen by AV/AM is in control of the malware.
The AV/AM approaches provided by independent software vendor (ISV) applications may include forming a secure tunnel with the storage device that prevents and detects the data modification that is done by rootkits. This secure tunnel is used to transfer raw data with no intelligence on the type or how the data is organized in the storage device.
In any host (e.g., client) system, there exists a host file system to organize user and system data as files. Files include logical blocks of data and a typical size of the smallest block is 512 bytes or 1K bytes and is called a logical block address (LBA) or a sector. A file is a collection of LBAs or sectors that are not necessarily contiguous. For example in the Unix file system, associated with each file is a concept of “Mode” or information node. Each Mode consists of a list of up to 10 LBA's, pointer to a single indirect block—which is a list of up to 256 LBA addresses, pointer to a double indirect block—which is a list of up to 256 single indirect blocks, and pointer to triple indirect block—which is a list of up to 256 double indirect blocks. An Mode is a list of 13 addresses. The Mode gives a file to LBA mapping. In the Windows file system (NTFS) a similar file to LBA mapping exists even though the mapping function may be different than the Mode scheme used in Unix.
Any system may have several files and these files are organized as directories. In the case of the Unix system a directory is also organized as an Mode, which contains files or other directories. Similarly, in NTFS, there is a master file table (MFT), which contains files and/or directories. Any given file system provides services that enable a user to open, read, write, or delete a file. In addition, several other maintenance servers are provided such as permissions, size, etc.