Full Report
A significant security gap in Linux runtime security caused by the 'io_uring' interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software. [...]
Analysis Summary
# Vulnerability: Linux io_uring Blindspot Enabling Stealthy Rootkit Attacks
## CVE Details
- CVE ID: Not explicitly provided in the article.
- CVSS Score: Not provided.
- CWE: Unknown (Likely related to Improper Restriction of Existing Functionality, or flawed security monitoring mechanisms).
## Affected Systems
- Products: Linux Kernel (specifically the `io_uring` subsystem).
- Versions: Unspecified versions where `io_uring` is enabled and traditional syscall monitoring is the primary defense mechanism.
- Configurations: Systems relying solely on traditional syscall monitoring (like `ptrace` or `seccomp`) for runtime security. Android and ChromeOS were noted as taking preventative measures by turning `io_uring` off by default in some contexts.
## Vulnerability Description
The vulnerability stems from a security blindspot in how runtime security monitoring tools operate on Linux. Many tools primarily monitor traditional system calls (syscalls) and hooking mechanisms (like `ptrace` or `seccomp`). The Linux `io_uring` interface supports 61 types of operations, including sensitive actions such as file I/O, spawning processes, network connection management, and permission modification, which can be executed without triggering the monitored syscall paths. This allows malware, such as rootkits, to perform malicious activities stealthily.
## Exploitation
- Status: Proof-of-Concept (PoC) available. The rootkit named "Curing" was created by ARMO to demonstrate this capability.
- Complexity: Implied Medium to High, as it requires deep knowledge of the `io_uring` interface to craft operations that bypass existing monitoring filters.
- Attack Vector: Network (implied, as Curing pulls commands from a remote server) and Local (requires local execution to start the payload).
## Impact
- Confidentiality: High (Ability to read files, capture network traffic, or gain privileged information via arbitrary operations).
- Integrity: High (Ability to spawn processes, modify files, execute arbitrary operations).
- Availability: Medium (Potential for disruption, though the primary goal appears to be stealthy command-and-control and persistence).
## Remediation
### Patches
- No specific kernel patch version was mentioned in the context provided. The solution appears to rely on enhanced security instrumentation.
### Workarounds
- **Google/Android/ChromeOS Action:** Turning `io_uring` off by default (though this cripples functionality).
- **Runtime Security Upgrade:** Adopting Kernel Runtime Security Instrumentation (KRSI) to allow eBPF programs to attach to security-relevant kernel events, which can monitor operations occurring within `io_uring`.
## Detection
- **Indicators of Compromise:** Malicious activity occurring via `io_uring` that does not correlate with expected syscall activity from the application.
- **Detection Methods and Tools:**
- Traditional syscall monitoring tools (like Falco in default configuration) were *ineffective*.
- Tetragon, with default configuration, was also blind but noted the capacity to be configured to detect this activity.
- **Recommended:** Utilizing systems capable of Kernel Runtime Security Instrumentation (KRSI) and advanced eBPF monitoring tailored to kernel events, rather than just syscall entry/exit points.
## References
- ARMO GitHub Repository containing Curing PoC: `github.com/armosec/curing` (Defanged: `github[.]com/armosec/curing`)
- Blog post regarding eBPF and file monitoring by Tetragon developers: `isovalent[.]com/blog/post/file-monitoring-with-ebpf-and-tetragon-part-1/` (Defanged)
- Google's decision to disable io_uring by default: `security[.]googleblog[.]com/2023/06/learnings-from-kctf-vrps-42-linux.html` (Defanged)