The disk monitors all I/O requests, and is not vulnerable to layer-below attacks.
The disk is separated from the host and can operate securely while the host may be compromised.
Difficult to circumvent
Altering code does not necessarily change disk accesses. It is more difficult to reorder reads and writes than it is to substitute "x+3" with "x-10+13."
There is a speed gap between the disk processor and mechanical data transfer system. The disk processor is generally underutilized. Also, working at the disk level requires almost no effort from the CPU.
This work is supported by the National Science Foundation Cyber Trust Program ("Disk-Level Malware Detection and Response," NSF 0627527).