The flaw was discovered by ARMO security researchers who developed a proof-of-concept rootkit called "Curing" to demonstrate the practicality and feasibility of attacks leveraging io_uring for evasion. The researchers explain that io_uring supports a wide range of operations through 61 ops types, including file read/writes, creating and accepting network connections, spawning processes, modifying file permissions, and reading directory contents, making it a powerful rootkit vector. To put theory into testing, ARMO created Curing, a special-purpose rootkit that abuses io_uring to pull commands from a remote server and execute arbitrary operations without triggering syscall hooks. ARMO suggests that the problem can be solved with the adoption of Kernel Runtime Security Instrumentation (KRSI), which allows eBPF programs to be attached to security-relevant kernel events. The problem, according to ARMO, arises from the fact that most security tools monitor for suspicious syscalls and hooking (like 'ptrace' or 'seccomp'), completely ignoring anything that involves the io_ring, creating a very dangerous blindspot. Instead of relying on system calls that cause a lot of overhead and process hangs, io_uring uses ring buffers shared between programs and the system kernel to queue up I/O requests that will be processed asynchronously, allowing the program to keep running. A significant security gap in Linux runtime security caused by the 'io_uring' interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software. Testing against commercial tools, ARMO further confirmed the inability to detect io_uring-based malware and kernel interactions that don't involve syscalls. Testing Curing against several well-known runtime security tools demonstrated that most couldn't detect its activity. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. io_uring is a Linux kernel interface for efficient, asynchronous I/O operations. Such is the risk that Google decided to turn it off by default on Android and ChromeOS, which use the Linux kernel and inherit many of its underlying vulnerabilities.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 24 Apr 2025 12:05:08 +0000