Shake Network Technology NewsClick the right to follow for the latest technology news!
The ARMO research team recently disclosed significant flaws in Linux runtime security tools, confirming that the io_uring interface allows rootkits (kernel-level malware) to bypass conventional monitoring solutions.Tests show that mainstream tools, including Falco, Tetragon and even Microsoft Defender for Endpoint, are unable to detect attacks utilizing this mechanism.
01
Technical Principles
“This mechanism allows user-space applications to perform various operations without triggering system calls,” ARMO explained.io_uring is a high-performance asynchronous I/O interface introduced in Linux 5.1, which significantly reduces overhead by sharing a ring buffer between user space and kernel space. However, it is precisely this design feature that allows it to bypass the system call monitoring mechanisms that are the cornerstone of most Linux security tools.
02
Proof of Concept
To validate the threat, ARMO developed a fully functional rootkit tool called Curing, which communicates with the C2 server solely through io_uring operations, with zero system calls throughout. Experiments demonstrated that attackers could achieve:
- Data theft
- Remote command execution
- Network lateral penetration
while traditional monitoring tools remain completely oblivious.
03
Product Testing Results
Testing on various open-source and commercial Linux security products revealed serious flaws:
- Falco: Completely unaware of io_uring-based operations
- Tetragon: Default policies miss io_uring activities, requiring manual configuration of Kprobes and LSM hooks to enhance visibility
- Microsoft Defender for Endpoint: Even when io_uring is abused, it can only monitor file changes through Fanotify
04
Industry Status Reflection
Current Linux EDR (Endpoint Detection and Response) tools generally rely on eBPF proxies, prioritizing the convenience of monitoring system calls. ARMO points out a fundamental architectural flaw: “Most security vendors have yet to address this issue; they continue to rely on simple and direct solutions that cannot cope with the diversity of application and kernel characteristics.”
05
Mitigation Recommendations
The research team proposed three improvement strategies:
- Monitoring abnormal io_uring usage: Marking unconventional io_uring calls in applications
- Adopting KRSI (Kernel Runtime Security Instrumentation): Integrating with the Linux LSM framework to obtain structured kernel events
- Hooking techniques beyond system calls: Expanding kernel monitoring coverage using stable Kprobes and other hook points
ARMO particularly emphasizes the advantages of KRSI: “Unlike directly hooking system calls, LSM hooks can provide more consistent and reliable coverage for security-related operations.” This finding sounds the alarm for the Linux security ecosystem, highlighting the critical lag between modern kernel features and security protections.
Share
Collect
Like
View