TrustLeech: Privileged System Analysis using Nested Virtualization

Schulze SM, Bergmann P, Röckl J, Freiling F (2026)

Publication Type: Conference contribution

Publication year: 2026

Publisher: IEEE

City/Town: New York City

Pages Range: 468-481

Conference Proceedings Title: 2025 IEEE Annual Computer Security Applications Conference (ACSAC)

Event location: Honolulu US

DOI: 10.1109/ACSAC67867.2025.00048

Abstract

Privileged system analysis, i.e., the analysis of a running virtual machine (VM) from the hypervisor, is a common and robust technique employed in digital forensics, incident response, and malware analysis. Its robustness stems from the analysis system running with higher privileges than the target. However, the complexity of modern hypervisors has increased the probability of vulnerabilities allowing privilege escalation, which may allow a VM to take over the hypervisor. To counter this threat, analysis tools are deployed at even higher privilege levels, such as the firmware level on ARMv8-A systems. However, moving complex software to the firmware merely shifts the dangers of vulnerabilities to another layer. To solve this dilemma, we propose using nested virtualization to introduce an additional analysis layer below the hypervisor but above the firmware. This layer can be initiated on demand using only minor modifications to the firmware. As a proof of concept, we present TrustLeech, which only adds a small loader consisting of 327 lines of code to the firmware. On-demand at runtime, TrustLeech virtualizes the existing hypervisor and its VMs using ARM's nested virtualization extensions, inserting an analysis hypervisor. TrustLeech therefore combines the advantages of firmware level initialization with a hypervisor's access to all hardware debugging features, allowing precise analysis. We show its applicability by integrating TrustLeech with LibVMI and analyzing rootkits in a running hypervisor.

Authors with CRIS profile

Sven Matti Schulze Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Paul Bergmann Lehrstuhl für Informatik 4 (Systemsoftware) Jonas Röckl Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

How to cite

APA:

Schulze, S.M., Bergmann, P., Röckl, J., & Freiling, F. (2025). TrustLeech: Privileged System Analysis using Nested Virtualization. In 2025 IEEE Annual Computer Security Applications Conference (ACSAC) (pp. 468-481). Honolulu, US: New York City: IEEE.

MLA:

Schulze, Sven Matti, et al. "TrustLeech: Privileged System Analysis using Nested Virtualization." Proceedings of the 2025 IEEE Annual Computer Security Applications Conference (ACSAC), Honolulu New York City: IEEE, 2025. 468-481.

BibTeX: Download