A recent research-based proof-of-concept rootkit called Curing is released, takes advantage of the Linux asynchronous I/O mechanism io_uring. This rootkit basically allows bad guys to get malware and other threats through traditional system call based threat detection tools. Curing utilizes io_uring to improve communication between a command-and-control (C2) environment and an infected host. This method eliminates the overhead of general-purpose system calls, improving throughput efficiency.
Curing’s design should send shivers down the spines of cybersecurity professionals. It operates in a manner that most legacy monitoring systems just aren’t able to pick up on. This technical method reveals a severe vulnerability in Linux runtime security, ringing alarms in the information safety group.
Understanding io_uring
io_uring is a newish Linux kernel interface that lets you perform asynchronous I/O operations in an efficient manner. By contrast to traditional approaches that depend on costly system calls, io_uring lets user applications do a number of things on their own, saving time and performance. As useful this new capability may be for boosting performance, it carves out a new path for exploitation.
As ARMO, the company responsible for development of the Curing rootkit, points out, this mechanism has serious implications that should not be overlooked. They stated, “This mechanism allows a user application to perform various actions without using system calls.”
With no system calls being used, traditional security tools like Falco and Tetragon suddenly become “blind.” This is especially the case for applications that do everything with io_uring. ARMO pointed out that “as a result, security tools relying on system call monitoring are blind to rootkits working solely on io_uring.”
The Implications of Curing
Cybersecurity researchers have shown that Curing works very well on avoiding detection by taking advantage of the strong exploitation primitives that io_uring provides. As noted by Amit Schendel, Head of Security Research at ARMO, “On the one hand, you need visibility into system calls; on the other, you need access to kernel structures and sufficient context to detect threats effectively.”
The fact that io_uring operates outside traditional monitoring frameworks creates a “major blind spot in Linux runtime security tools,” according to ARMO. This gap poses a major threat for entities depending on these tools for defense against nefarious actions.
In June 2023, Google recognized the potential risks associated with io_uring and decided to limit its use across Android, ChromeOS, and its production servers. This decision reflects the increasing understanding that tighter controls are needed around this powerful Linux kernel interface.
Mitigating Future Threats
The emergence of Curing serves as a warning to cybersecurity professionals regarding the evolving landscape of threats leveraging advanced technologies like io_uring. The old ways of detecting threats have a hard time keeping pace against these new innovations. This creates an urgent opportunity to enhance security safeguards.
Organizations may need to adopt new strategies and tools that can effectively monitor and detect activities associated with io_uring-based operations. This change in deflection strategy, straightforward as it may seem, proves to be a key element to protecting environments from today’s more advanced rootkits and cyber threats.