Cybersecurity researchers have demonstrated a proof-of-concept (POC) rootkit called Curing, which utilizes a Linux asynchronous I/O mechanism called IO_IRING to bypass traditional system call monitoring.
This creates “major blind spots for Linux runtime security tools,” Armo said.
“This mechanism allows user applications to perform a variety of actions without using system calls,” the company said in a report shared with Hacker News. “As a result, security tools that rely on system call monitoring are blind to “RootKits that only work with IO_IRING.” ”
First introduced in March 2019 in Linux kernel version 5.1, IO_URING uses two circular buffers (CQ) to track Asynchronous Mann submissions and I/O requests using two circular buffers called submissions and completion queues (CQ) between skin and application, and two circular buffers called completion queues (CQ).
Devised by ARMO, RootKit facilitates communication between a Command and Control (C2) server and an infected host, obtains commands and runs without running them, without running them.
https://www.youtube.com/watch?v=oj6vqo87miy
An analysis of Armo, a currently available Linux runtime security tool, reveals that both Falco and Tetragon are blinding IO_URING-based operations due to the fact that they rely heavily on system call hooks.
The security risks raised by IO_IRING have been known for some time. In June 2023, Google revealed that it had decided to “provide powerful exploitation primitives” using the Linux kernel interface across Android, Chromeos, and its production servers.
“On the one hand, you need visibility into system calls, and on the other hand, you need to have enough context access to effectively detect threats.”
“Many vendors get the easiest path. They connect directly to the system call. This approach has quick visibility, but there are limitations. Most notably, they don’t guarantee that the system call is always invoked.
