Security researchers released a rootkit that leaves most modern Linux security systems blind to its activities. It abuses the performance-increasing method that Google disabled on Android devices due to security risks.
Attackers can hack Linux systems undetected. ARMO, a Tel Aviv-based cloud runtime security company, warns of a critical gap in most modern Linux security detection solutions.
Hackers can abuse the “io_uring” method to perform malicious activities that bypass traditional detection mechanisms. Most CISOs aren’t aware of this gap.
To demonstrate this, researchers publicly released a fully functional rootkit.
“A key weakness in security tools is a heavy dependence on monitoring of traditional system calls as a primary detection mechanism,” the ARMO researchers explain.
“While this approach is effective for many threats, it fails to account for techniques that bypass these system calls entirely.”
The “io_uring” exploits are not new, and security experts generally consider them unsafe. In June 2023, Google concluded that 60% of bug bounty submissions exploited the “io_uring” component, which led to the decision to limit the usage of “io_uring” in Google products. This method is unreachable to Android apps and is completely disabled on ChromeOS.
However, on most Linux distributions, this framework provides a kernel API for asynchronous input/output processing, reducing the need for traditional system calls and speeding up certain operations.
ARMO explains that “io_uring” provides a gap for attackers to perform malicious operations without triggering the typical system calls security products rely on. It provides many capabilities – 61 possible operations, including network and file system operations.
They found that the attack method affects eBPF, a widely adopted monitoring and security technology highly popular with cloud security vendors and adopters. This affects security tools like Falco and Tetragon.
“Most of the commercial solutions in the Linux EDR scene today rely on system call hooking,” the researchers say.
“We found that many well-known commercial products we tested showed this detection gap.”
Why release a rootkit?
Researchers hope that by releasing a fully functional rootkit called Curing, they will raise cybersecurity community awareness of a still-overlooked mechanism exploited by attackers.
“For the past two years, there have been publications detailing how this technique can be used to bypass detection mechanisms. Yet, most cybersecurity vendors still haven't addressed the issue.”
A rootkit is one of the most dangerous types of malware that gives attackers root access to the system and effectively hides its presence.
The Curing rootkit can communicate with a command and control server, pull commands, and execute them without making system calls.
“The main idea was to show that io_uring allows so many important operations that you can write an entire rootkit on top of.”
The researchers also explain how to detect this type of malware. They suggest looking for unusual use of “io_uring,” as most modern programs don’t typically use it.
Linux has a relatively new mechanism called Kernel Runtime Security Instrumentation (KRSI), which enables deeper monitoring. Even hidden rootkits still have to perform certain visible actions, like reading or sending data, and those can also be detected.
The “io_uring” mechanism has been present in Linux since version 5.1, released on May 5th, 2019.
“This isn't just a theoretical concern – we tested major security solutions, including Falco and Tetragon, confirming they all miss these attacks. With Linux being the foundation of cloud infrastructure everywhere, this research impacts organizations across the board,” the researchers concluded.
Your email address will not be published. Required fields are markedmarked