Recently, researchers have discovered a brand new Linux rootkit—Curing—that can successfully bypass existing security tools through the io_uring interface in the Linux kernel, rendering it invisible in the system and even evading detection by modern enterprise-level security software.
The io_uring interface was introduced in the Linux 5.1 version to enhance I/O operation performance, aiming to address the issues of traditional I/O systems regarding performance and scalability.
Unlike traditional system calls, io_uring allows for asynchronous processing of I/O requests by sharing a ring buffer between the program and the kernel, thus avoiding process blocking and high load issues associated with traditional calling methods.
Security Vulnerability: io_uring Becomes a Hidden Channel for Rootkits
According to researchers from ARMO, the root of the problem lies in the fact that most security tools only monitor system calls and some suspicious hooks (such as ptrace, seccomp, etc.), while completely ignoring operations related to io_uring. It is precisely this “blind spot” that allows rootkits to evade detection by security software through the io_uring interface.
The io_uring supports a range of functionalities, including reading and writing files, creating and receiving network connections, launching processes, modifying file permissions, and reading directory contents. These powerful features make it an ideal rootkit tool for attackers. Due to the significant risks, Google developers have even decided to disable io_uring by default on Android and ChromeOS.
Curing: A New Rootkit Utilizing io_uring for Covert Operations
To validate their findings, ARMO researchers developed a rootkit named Curing, which receives commands from a remote server via io_uring and executes arbitrary operations in the system without relying on any system calls.
After testing, Curing was able to successfully bypass most existing security software without being detected.
Additionally, ARMO also tested several commercial security tools and confirmed that they could not detect malicious activities conducted through io_uring. However, the researchers did not disclose the specific commercial solutions tested. For those wishing to test their environment’s resilience against such threats, ARMO has hosted the code for Curing on GitHub for researchers and developers to use.
Solution: Utilize eBPF and KRSI to Enhance Security
Researchers from ARMO believe that the solution to this problem lies in using kernel runtime security tools (Kernel Runtime Security Instrumentation, KRSI), which can effectively detect and defend against such rootkit attacks by associating programs with security-related events in the kernel through eBPF (Extended Berkeley Packet Filter).