Cloaking Malware With the Trusted Platform Module
The Trusted Platform Module (TPM) is commonly thought of as hardware that can increase platform security. However, it can also be used for malicious purposes. The TPM, along with other hardware, can implement a cloaked computation, whose memory state cannot be observed by any other software, including the operating system and hypervisor. The authors show that malware can use cloaked computations to hide essential secrets (like the target of an attack) from a malware analyst.