Researchers in cybersecurity have demonstrated a proof-of-concept ( PoC ) rootkit dubbed that uses a Linux asynchronous I/O mechanism called to bypass traditional system call monitoring.
According to ARMO, this results in a “major blind place in Linux runtime safety tools.”
In a statement shared with The Hacker News, the firm stated that” this system allows a consumer application to perform several actions without using program calls.” So rootkits that only work with io_uring are deaf to safety tools that rely on system call monitoring.
A submission queue ( SQ ) and completion queue ( CQ ) between the kernel and an application ( i .e., user space ), which was first used in Linux kernel version 5.1 in March 2019, are used to track the submission and completion of I/O requests in an asynchronous manner.
Instead of using io_uring to achieve the same objectives, the rootkit developed by ARMO facilitates communication between a command-and-control ( C2 ) server and an infected host to fetch commands and execute them without making any system calls relevant to its operations.
[embedded material]
According to ARM O’s analysis of the most popular Linux runtime security tools, both and are blind to io_uring-based operations because they rely heavily on system call hooking.
A correct for the bug has since been released for CrowdStrike’s Falcon agent, which also failed to perform file system operations using io_uring. Regardless of whether io_uring was used, Microsoft Defender for Endpoint on Linux is said to lack the ability to identify various kinds of challenges.
Io_uring has been known for some time about its safety hazards. Google made the decision to restrict the use of the Linux kernel software across Android, ChromeOS, and its manufacturing servers in June 2023 because it “provides solid exploitation primitives.”
Amit Schendel, Head of Security Research at ARMO, stated,” On the one hand, you need access to core structures and enough perspective to find threats effectively,” while adding,” On the other hand, you need access to kernel structures and satisfactory context.”
” Several suppliers take the simplest route: integrating directly into method calls. Although this method has advantages for fast visibility, it has limitations. Importantly, method names aren’t usually guaranteed to be made. Io_uring, which can completely pass them, is a good and excellent example.