SoK: How `Not' to Architect Your Next-Generation TEE Malware?

Besides Intel's SGX technology, there are long-running discussions on how trusted computing technologies can be used to cloak malware. Past research showed example methods of malicious activities utilising Flicker, Trusted Platform Module, and recently integrating with enclaves. There is, however, an ambiguity over the core SGX ecosystem helps to cloak malware, or whether the additional engineering work outside SGX's ecosystem forcefully attaches (overfits) malware-behaviour into the enclave. We examine what malware aims to do in real-world scenarios and state-of-art techniques in malware evasion. The rising disadvantages of maintaining the malware and protecting it from anti-malware mechanisms make SGX enclaves a bad choice for achieving a successful malware campaign. We systematise twelve points outlining how an overfit-malware using SGX weakens malware's existing abilities. By making a comparison with a non-SGX malware (i.e., malware in the wild in our paper), we conclude that the use of hardware enclaves does not increase the preexisting attack surface, provides no new infection point, and does not contribute any new methods to the stealthiness of malware.