Recently, cybersecurity researchers demonstrated a proof-of-concept (PoC) Rootkit named “Curing” that utilizes the Linux asynchronous I/O mechanism io_uring to bypass traditional system call monitoring.
01
Significant Blind Spots in Security Tools
ARMO stated that this leads to “significant blind spots in Linux runtime security tools.” In a report shared with The Hacker News, the company pointed out: “This mechanism allows user applications to perform various operations without using system calls. Therefore, security tools that rely on system call monitoring are completely ‘blind’ to Rootkits that operate solely through io_uring.”
02
Technical Principles of io_uring
io_uring was introduced in March 2019 with the Linux kernel version 5.1 and is a Linux kernel system call interface. It tracks the submission and completion of I/O requests asynchronously by establishing two ring buffers between the kernel and user space: the Submission Queue (SQ) and the Completion Queue (CQ).
03
Rootkit Operating Mechanism
The Rootkit designed by ARMO implements communication between the command-and-control (C2) server and the infected host, allowing it to obtain and execute commands without making any related system calls, relying entirely on io_uring to achieve the same goals.
04
Failure of Mainstream Security Tools to Detect
ARMO’s analysis of current mainstream Linux runtime security tools shows that both Falco and Tetragon heavily rely on system call hooking techniques, making them completely unable to detect operations based on io_uring. CrowdStrike’s Falcon agent also fails to detect system operations executed via io_uring, although the company has released a patch addressing this issue. Microsoft’s Linux Defender for Endpoint reportedly lacks the capability to detect various threats, regardless of whether io_uring is used.
05
Known Security Risks
The security risks posed by io_uring have long been recognized. In June 2023, Google announced its decision to restrict the use of this Linux kernel interface on Android, ChromeOS, and its production servers due to its “provision of powerful exploit primitives.”
06
Expert Opinions
ARMO’s security research director Amit Schendel stated: “On one hand, there is a need to monitor system calls, while on the other hand, access to kernel structures and sufficient context is required to effectively detect threats. Many vendors have chosen the most direct path: directly hooking system calls. While this method can quickly provide visibility, it also has limitations. The most obvious is that system calls are not always triggered. io_uring can completely bypass system calls, which is a good example of this.”
