Linux 'io_uring' Security Blindspot Allows Stealthy Rootkit Attacks


Security researchers at ARMO have identified a significant vulnerability within the Linux kernel's io_uring interface. This flaw enables rootkits to operate stealthily, bypassing many standard runtime security tools that primarily monitor traditional system calls. The io_uring interface, designed for efficient asynchronous I/O, doesn't trigger the same hooks, creating a dangerous blind spot. ARMO developed a proof-of-concept rootkit named 'Curing' to demonstrate how attackers could exploit this, executing commands remotely without detection by tools like Falco. While some security platforms like Tetragon can be configured to monitor these activities, default setups often miss them. Due to the risks, Google has preemptively disabled io_uring by default in Android and ChromeOS. Adopting Kernel Runtime Security Instrumentation (KRSI) is suggested for more comprehensive monitoring.
Read More


thumb-image

Solutions