Stealth Linux Rootkit Exploits io_uring to Evade Detection

Security researchers have just dropped a bombshell: a proof-of-concept rootkit called Curing. What makes this one so sneaky? It's designed to sidestep traditional system call monitoring on Linux by exploiting something called io_uring, an asynchronous I/O mechanism.

According to ARMO, this creates a "major blind spot" for Linux security tools that are supposed to be keeping an eye on things.

Basically, ARMO explains that io_uring lets applications do stuff without needing to make system calls. So, if your security tools are only watching system calls, they won't even see a rootkit like Curing operating.

So what's io_uring anyway? It was introduced back in Linux kernel 5.1 (March 2019). Think of it as a way for applications and the kernel to talk to each other about I/O requests using two circular buffers: a submission queue (SQ) and a completion queue (CQ). Red Hat explains it as a way to handle I/O in an asynchronous manner.

The Curing rootkit uses this to communicate with a command-and-control (C2) server. It grabs commands and executes them on the compromised machine without making any of the usual system calls that would raise red flags. Sneaky, right?

ARMO tested some popular Linux runtime security tools and found that Falco and Tetragon are both vulnerable. They rely heavily on hooking into system calls, which io_uring simply bypasses.

Interestingly, the risks associated with io_uring aren't exactly new. Back in June 2023, Google revealed they were limiting its use across Android, ChromeOS, and their own servers because it "provides strong exploitation primitives."

Amit Schendel, Head of Security Research at ARMO, sums it up nicely: "You need visibility into system calls, but you also need access to kernel structures to really detect threats."

He adds, "Many vendors take the easy route: hooking directly into system calls. It's quick, but it has limitations. io_uring, which can bypass them entirely, is a perfect example of why that's not enough."