"we presented our research on how to effectively bypass Linux runtime detection tools. This research is relevant to any Linux environment, especially in the modern cloud-native environments The io_uring interface, introduced in Linux kernel 5.1, was designed to provide high-performance asynchronous I/O through shared ring buffers between user space and kernel space. Unlike traditional Unix I/O operations that rely on system calls, io_uring uses these ring buffers as the primary communication mechanism, effectively creating an alternative pathway that bypasses conventional monitoring approaches."
"The research builds upon earlier work by Daniel Teixeira, who first demonstrated the evasion potential of io_uring in 2022, but ARMO's team has now created the first fully functional rootkit to prove the practical threat. The io_uring interface currently supports 61 different operations, including critical network and file system functions that would typically trigger security alerts. Testing revealed widespread vulnerabilities across both open-source and commercial security solutions."
A vulnerability in Linux runtime security tools stems from the io_uring interface, an asynchronous I/O mechanism that bypasses traditional system call monitoring. A proof-of-concept rootkit named "Curing" operates entirely via io_uring, providing full command-and-control without using monitored traditional system calls. Major security tools such as Falco and Microsoft Defender for Endpoint on Linux failed to detect the rootkit; some tools like Tetragon require specialized configuration to detect io_uring activity. io_uring, introduced in Linux kernel 5.1, uses shared ring buffers and supports 61 operations including critical network and filesystem functions. Widespread vulnerabilities affect open-source and commercial runtime security solutions, posing elevated risk to cloud-native Linux environments.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]