CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
A new proof-of-concept rootkit, dubbed Curing, has been developed by ARMO researchers to demonstrate a significant security blindspot in Linux runtime security. This rootkit leverages the 'io_uring' interface, a Linux asynchronous I/O mechanism, to bypass traditional system call monitoring. This means that many existing security tools like Falco, Tetragon, and even Microsoft Defender are unable to detect malicious activity carried out using this method, leaving systems vulnerable to stealthy rootkit attacks. The vulnerability stems from the fact that io_uring allows user applications to perform actions without relying on standard system calls, rendering security tools that depend on system call monitoring ineffective.
io_uring was introduced in Linux kernel version 5.1 in March 2019, designed to improve I/O operation efficiency by using circular buffers (submission queue and completion queue) between the kernel and user space. However, ARMO's Curing rootkit exploits this mechanism to communicate with a command-and-control server, fetch commands, and execute them on the infected host without triggering traditional security alerts. This is achieved by performing operations using io_uring instead of direct system calls.
ARMO's analysis found that popular Linux runtime security tools are blind to io_uring-based operations. This is because these tools rely heavily on system call hooking, a method bypassed by io_uring. While the security risks associated with io_uring have been acknowledged, as evidenced by Google's decision to limit its use across Android, ChromeOS, and its production servers due to its exploitation potential, a broader industry solution is still needed to address this Linux kernel blindspot effectively. Recommendations for detecting io_uring-based threats include monitoring for anomalous usage of io_uring, leveraging Kernel Runtime Security Instrumentation (KRSI), and identifying alternative hook points across the Linux stack.
ImgSrc: blogger.googleu
References :
io_uring was introduced in Linux kernel version 5.1 in March 2019, designed to improve I/O operation efficiency by using circular buffers (submission queue and completion queue) between the kernel and user space. However, ARMO's Curing rootkit exploits this mechanism to communicate with a command-and-control server, fetch commands, and execute them on the infected host without triggering traditional security alerts. This is achieved by performing operations using io_uring instead of direct system calls.
ARMO's analysis found that popular Linux runtime security tools are blind to io_uring-based operations. This is because these tools rely heavily on system call hooking, a method bypassed by io_uring. While the security risks associated with io_uring have been acknowledged, as evidenced by Google's decision to limit its use across Android, ChromeOS, and its production servers due to its exploitation potential, a broader industry solution is still needed to address this Linux kernel blindspot effectively. Recommendations for detecting io_uring-based threats include monitoring for anomalous usage of io_uring, leveraging Kernel Runtime Security Instrumentation (KRSI), and identifying alternative hook points across the Linux stack.
ImgSrc: blogger.googleu
Share:
References :
- Talkback Resources: ARMO researchers identified a blind spot in Linux runtime security tools caused by the io_uring interface, leading to the development of the Curing rootkit and highlighting the need for enhanced monitoring solutions compatible with new Linux kernel features.
- The DefendOps Diaries: Addressing Security Challenges in Linux's io_uring Interface
- The Hacker News: New Linux Rootkit Exploits io_uring, Evades Detection ARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it. Attackers can run commands without triggering system calls.
- BleepingComputer: Linux 'io_uring' security blindspot allows stealthy rootkit attacks