Can a local process somehow tell the TPM to shut down until reboot? Then we could also have a local daemon that tracks client state, and if it detects a compromise - it would disable the local TPM, which would cause the already-issued tokens to become useless.
(Sure, an attacker taking over the client could disable this daemon; but it's another hurdle.)
Re: Token Binding/Proof of Possession
Let's make this even better...
Can a local process somehow tell the TPM to shut down until reboot? Then we could also have a local daemon that tracks client state, and if it detects a compromise - it would disable the local TPM, which would cause the already-issued tokens to become useless.
(Sure, an attacker taking over the client could disable this daemon; but it's another hurdle.)