The research team at ARMO has demonstrated that popular security solutions, including CrowdStrike’s Falcon, Microsoft Defender, Falco, and Tetragon, are effectively “blind” to malicious activities performed via io_uring—an asynchronous I/O mechanism introduced in Linux 5.1 that allows applications to bypass traditional system calls. The researchers emphasize that security vendors must adapt their detection strategies beyond simple syscall monitoring to ensure comprehensive protection against increasingly sophisticated attack techniques. This discovery highlights the challenges security vendors face in keeping pace with evolving attack techniques and underscores the importance of comprehensive monitoring approaches that can adapt to new kernel features and bypass methods. This vulnerability affects nearly all commercial Linux runtime security tools that rely on system call monitoring for threat detection. A critical vulnerability exists in Linux’s security framework, revealing that many runtime security tools struggle to detect threats operating via the io_uring interface. These include detecting anomalous usage of io_uring, implementing KRSI (Kernel Runtime Security Instrumentation), and finding alternative hook points across the Linux stack. Despite io_uring being available for years and previously identified as potentially problematic, security vendors have largely failed to address this gap in their monitoring capabilities. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. “KRSI offers native integration with the Linux security layer, enabling deep visibility into kernel-level events. “We decided to create Curing and release it publicly… to raise awareness about io_uring as an overlooked mechanism that attackers can exploit,” ARMO researchers stated in their report. CrowdStrike’s Falcon agent failed to detect sensitive file access operations performed through io_uring, effectively bypassing all file system visibility. This proof-of-concept malware can establish command and control communications, access sensitive files, and execute malicious commands while remaining undetected by standard security solutions. To prove the significance of this vulnerability, ARMO developed “Curing,” a fully functional rootkit that operates exclusively through io_uring operations. The report outlines several approaches that security vendors can implement to address this vulnerability. Open-source projects had varied responses—Falco maintainers acknowledged the issue and are working on a plugin for deeper visibility, while Tetragon developers pointed out that their tool can detect io_uring operations, but only if specifically configured to do so.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Apr 2025 14:45:11 +0000