A proof-of-concept program has been released to demonstrate a so-called monitoring "blind spot" in how some Linux antivirus and other endpoint protection tools use the kernel's io_uring interface.
That interface allows applications to make IO requests without using traditional system calls. That's a problem for security tools that rely on syscall monitoring to detect threats.
Rather than making a system call for each request, these operations - such as reading and writing files - are queued in ring buffers that the kernel rattles through and returns the results in separate buffers. Antivirus that watches syscalls for malicious activity may miss changes that are instead going through the io_uring queues.
To demonstrate this, security shop ARMO built a proof-of-concept named Curing that lives entirely through io_uring. Because it avoids system calls, the program apparently went undetected by tools including Falco, Tetragon, and Microsoft Defender in their default configurations. ARMO claimed this is a "major blind spot" in the Linux security stack.
The io_uring interface was introduced in Linux kernel version 5.1, released in 2019. It was, technically speaking now, designed to enhance performance by enabling asynchronous I/O operations between user space and the Linux kernel through shared ring buffers. This architecture reduces the number of system calls required for I/O operations and minimizes the overhead associated with frequent transitions between user space and kernel space.
"Not many companies are using it but you don't need to be using it for an attacker to use it as enabled by default in most Linux systems, potentially tens of thousands of servers," ARMO's CEO Shauli Rozen told The Register. "If you're not using io_uring then disable it, but that's not always easy with cloud vendors."
While syscalls are required to set up io_uring buffers, these management calls look entirely innocent, and the actual malicious activity happens out of sight in the queues. You can see a demonstration of the code in the video below. We guess antivirus could be updated to flag up any io_uring activity as potentially harmful; or just switch off the feature if it's not needed.
Youtube Video
"Many vendors take the most straightforward path: Hooking directly into system calls," said Amit Schendel, head of security research at ARMO, in a write-up about the interface.
"While this approach offers quick visibility, it comes with limitations. Most notably, system calls aren't always guaranteed to be invoked. io_uring, which can bypass them entirely, is a positive and great example."
We reached out to the antivirus vendors named in ARMO's report. Falco acknowledged the issue and said a fix is in the works. Tetragon claimed the attack is detectable, though not with the default settings most users rely on. As for Redmond:
Meanwhile, over at Google, patience with io_uring ran out a while ago. In mid-2023, the tech giant disabled it entirely in ChromeOS, restricted its use on Android via seccomp and SELinux policies, and removed it from production servers. The clampdown came after Google shelled out around $1 million in bug bounties linked to io_uring flaws.
Of course, ARMO has also proposed ways to detect malware abusing io_uring. The code for Curing is available on GitHub. ®
Never mind the chatbot's recent erratic behavior
GTC Wants to be the 'HR department for agents'
Time to stand on its own two webbed feet?
Large-scale disinfo campaigns could use this in machines that adapt 'to individual targets.' Are we having fun yet?
Another distro for Windows users - presumably ones who love bling
Veteran OS might be almost out of support, but there's still time for Microsoft to break it
Highest recorded jump in skills gap for more than a decade, recruiter finds