Cybersecurity researchers have demonstrated a proof-of-concept (PoC) rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism known as io_uring to bypass conventional system name monitoring.
This causes a “main blind spot in Linux runtime safety instruments,” ARMO stated.
“This mechanism permits a consumer software to carry out numerous actions with out utilizing system calls,” the corporate said in a report shared with The Hacker Information. “In consequence, safety instruments counting on system name monitoring are blind’ to rootkits working solely on io_uring.”
io_uring, first introduced in Linux kernel model 5.1 in March 2019, is a Linux kernel system name interface that employs two round buffers known as a submission queue (SQ) and a completion queue (CQ) between the kernel and an software (i.e., consumer house) to trace the submission and completion of I/O requests in an asynchronous method.
The rootkit devised by ARMO facilitates communication between a command-and-control (C2) server and an contaminated host to fetch instructions and execute them with out making any system calls related to its operations, as an alternative making use of io_uring to attain the identical targets.
ARMO’s evaluation of presently obtainable Linux runtime safety instruments has revealed that each Falco and Tetragon are blind to io_uring-based operations owing to the truth that they’re closely reliant on system name hooking.
CrowdStrike’s Falcon agent, which additionally didn’t file system operations carried out utilizing io_uring, has since rolled out a repair for the problem. Nevertheless, Microsoft Defender for Endpoint on Linux is alleged to lack capabilities to detect numerous sorts of threats, regardless of whether or not io_uring was used.
The safety dangers posed by io_uring have been identified for a while. In June 2023, Google revealed that it determined to restrict using the Linux kernel interface throughout Android, ChromeOS, and its manufacturing servers because it “offers robust exploitation primitives.”
“On the one hand, you want visibility into system calls; on the opposite, you want entry to kernel buildings and ample context to detect threats successfully,” Amit Schendel, Head of Safety Analysis at ARMO, stated.
“Many distributors take essentially the most easy path: hooking immediately into system calls. Whereas this method presents fast visibility, it comes with limitations. Most notably, system calls aren’t at all times assured to be invoked. io_uring, which might bypass them totally, is a optimistic and nice instance.”
Source link