Time of Check, Time of Use (TOCTOU) is a technique that malware may use to evade detection. TOCTOU is effective if malware has the ability to detect the start of an integrity check. Before the integrity check function starts, the malware first completely removes all its traces from memory before releasing the CPU, such that the ensuing execution of the integrity check function will not detect any anomaly.
The cloud paradigm continues to gain popularity as a low cost means to provide computing infrastructure and services. While the cost savings are attractive, the ability to trust the integrity of services delivered over cloud platforms remains an issue. The Trusted Computing Group (TCG) defines standards for secure computing platforms. These standards are based on a hardware chip called a Trusted Platform Module (TPM) being present on the platform. A TPM is typically used to collect load time software integrity measurements. These measurements are performed using primitives such as hash functions (e.g. SHA-1, or another secure hash algorithm,). A cloud service user can compare these measurements with previously computed values to determine whether or not the software loaded on the cloud platform has been tampered with.
Hardware TPM approaches suffer from some shortcomings: (i) they require a trusted third party (TPM vendor) in a trusted supply chain; (ii) vulnerable measurement primitives can only be corrected by a hardware upgrade; (iii) run-time integrity verification is not performed; and (iv) TPM may not be available on all platforms.