Compiled by: Code Guardian
A significant security gap in Linux runtime security caused by ‘io_uring’ can allow rootkits to operate undetected on systems while bypassing advanced enterprise security software.
This vulnerability was discovered by security researchers at ARMO, who also developed a proof-of-concept rootkit named ‘Curing’ to demonstrate the practicality and feasibility of evading detection using io_uring.
io_uring is a Linux kernel interface introduced in 2019 for efficient, asynchronous I/O operations, which has resolved performance and scalability issues through traditional I/O systems in Linux 5.1. Unlike system calls that can incur additional overhead and process suspension, io_uring uses a shared ring buffer between programs and the system kernel to queue I/O requests, allowing them to be processed asynchronously and enabling programs to continue running.
ARMO noted that the problem lies in the fact that most security tools monitor suspicious system calls and hook into them (such as ‘ptrace’ or ‘seccomp’), completely ignoring content related to io_uring, thus creating a very dangerous blind spot.
Researchers explained that io_uring supports a large number of operations through 61 operational types, including file read/write, creating and accepting network connections, generating processes, modifying file permissions, and reading directory contents, making it a powerful vector for rootkits.
This is why Google decided to disable it by default on Android and ChromeOS, as they use the Linux kernel and thus integrate many low-level vulnerabilities.
To test this theory, ARMO created a specialized rootkit that abuses io_uring, named Curing, which pulls commands from a remote server and executes arbitrary operations without triggering system call hooks. Testing Curing against several well-known runtime security tools showed that most tools failed to detect its activity. Specifically, Falco was reported to be completely unable to detect it even when using custom detection rules, while Tetragon could not mark malicious activity under default configurations; however, the company does not consider its platform vulnerable, as monitoring features can be enabled to detect this rootkit.
Researchers stated, “We reported this issue to the Tetragon team, who mentioned that Tetragon is not ‘vulnerable’ because they provide hooks with such flexibility almost everywhere. They also referenced a very good blog post on this topic.”
When testing the performance of commercial tools, ARMO further confirmed that they could not detect malware and kernel interactions based on io_uring that do not involve system calls. However, ARMO did not specify which commercial programs were tested. The company recommends using Kernel Runtime Security Instrumentation (KRSI) to address this issue, as KRSI allows eBPF programs to be attached to security-related kernel events.
Code Guardian trial address: https://codesafe.qianxin.comOpen Source Guardian trial address: https://oss.qianxin.comRecommended Reading
The first malware capable of infecting the Linux system boot process emerges
This root vulnerability has existed for over 10 years, affecting Ubuntu Linux
Due to ‘compliance requirements’, the Linux Kernel has removed the maintainer status of 11 Russian developers
A CUPS flaw can be used to execute remote code on Linux systems
The 0.0.0.0 Day vulnerability has existed for 18 years, affecting MacOS and Linux devices
Original link
https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blindspot-allows-stealthy-rootkit-attacks/
Cover image: Pexels License
This article is compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate “Reprinted from Qi Anxin Code Guardian https://codesafe.qianxin.com” when reprinting.
Qi Anxin Code Guardian (codesafe)
The first product line in China focused on software development security.