Cybersecurity researchers have developed a proof-of-concept rootkit named Curing, which takes advantage of the Linux io_uring mechanism to circumvent traditional system call monitoring. By enabling applications to perform operations without system calls, this rootkit creates significant blind spots for Linux runtime security tools like Falco and Tetragon. While CrowdStrike's Falcon agent has addressed the issue, Microsoft Defender for Endpoint on Linux remains ill-equipped to detect threats related to io_uring. The associated security risks have prompted Google to restrict its use across various platforms due to its potential for exploitation.
Cybersecurity researchers have demonstrated a proof-of-concept (PoC) rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism called io_uring to bypass traditional system call monitoring.
This mechanism allows a user application to perform various actions without using system calls, leading to a major blind spot in Linux runtime security tools.
ARMO's analysis indicates that current Linux runtime security tools, like Falco and Tetragon, are blind to io_uring-based operations due to a reliance on system call hooking.
Security risks of io_uring have been acknowledged; Google limited its use on Android and ChromeOS due to its strong exploitation primitives.
Collection
[
|
...
]