From what I've read it is based on the split TLB technique (see
uninformed or newer paper
MOrE Shadow Walker).
It works like this:
When translating virtual to physical memory addresses, there is a CPU cache that helps in alleviating the performance impact caused by the translation mechanism: the TLB (translation lookaside buffer). More precisely, there are actually two TLBs: one for data lookups, and one for code lookups.
Now, the basic idea of TLB splitting is to de-synchronize those two TLBs, thereby tricking the OS into mapping the same virtual address to different physical addresses.
Using that technique, one could for instance hide a rootkit in the kernel but still be able to execute code from it. However, when reading that memory, one wouldn't see the actual code.