ARMO researchers have uncovered a critical weakness in Linux runtime security tools, revealing how the io_uring interface enables rootkits to operate undetected by conventional monitoring solutions. Their findings demonstrate that many widely used tools — including Falco, Tetragon, and even Microsoft Defender for Endpoint — are “blind” to attacks exploiting this mechanism.
“This mechanism allows a user application to perform various actions without using system calls,” ARMO explains. Introduced in Linux 5.1, io_uring is a high-performance asynchronous I/O interface that uses shared ring buffers between user space and kernel space, significantly reducing overhead.
While beneficial for efficiency, io_uring also bypasses traditional system call monitoring — the backbone of many Linux security tools. As ARMO warns: “Security tools relying on system call monitoring are ‘blind’ to rootkits working solely on io_uring.”
To demonstrate the threat, ARMO developed Curing, a fully functional rootkit that communicates with a command-and-control server exclusively via io_uring operations, with zero detectable system calls. This proof-of-concept highlights how attackers could:
- Exfiltrate data.
- Execute commands.
- Perform lateral movement within networks.
without triggering traditional monitoring tools.
ARMO tested Curing against several open-source and commercial Linux security products, discovering alarming gaps:
- Falco: Completely blind to io_uring-based operations.
- Tetragon: Default policies miss io_uring activity, although deeper visibility can be configured with Kprobes and LSM hooks.
- Microsoft Defender for Endpoint: Failed to detect multiple malicious activities, even with io_uring usage. Detection was limited to file changes monitored by Fanotify.
According to ARMO: “Many well-known commercial products we tested showed this detection gap.”
Today’s Linux EDR tools largely depend on eBPF-based agents, prioritizing syscall monitoring due to ease of implementation. However, ARMO highlights a significant architectural flaw: “Most cybersecurity vendors still haven’t addressed the issue… they continue to rely on easy and straightforward solutions that are not immune to changes and diversity of applications and kernel features.”
ARMO recommends several strategies to close this blind spot:
- Monitor Anomalous io_uring Usage: Flag unexpected use of io_uring in applications.
- Adopt KRSI (Kernel Runtime Security Instrumentation): Integrate with Linux’s LSM framework for deeper, structured kernel event visibility.
- Hook Beyond System Calls: Explore stable Kprobes and other hook points for better coverage across the kernel.
As ARMO notes, KRSI provides a more resilient detection mechanism: “Unlike direct syscall hooking, LSM hooks provide more consistent and reliable coverage for security-relevant actions.”