Traditional security systems are no longer effective.
Cybersecurity researchers have discovered a vulnerability in the security monitoring approaches of Linux systems, showcasing a new method of stealthy intrusion using the io_uring mechanism. The issue lies in the fact that many security tools rely on tracking system calls, but this mechanism allows actions to be performed bypassing such calls, creating a dangerous blind spot.
This is about a Proof of Concept (PoC) rootkit called Curing, developed by the ARMO team. It uses io_uring, a kernel interface introduced in Linux version 5.1 in March 2019. This mechanism is built on two ring buffers – the submission queue and the completion queue – and is designed for asynchronous processing of I/O requests between user space and the kernel. By directly interacting with these structures, the rootkit is able to receive commands from a Command and Control (C2) server and execute them without any system calls, thus remaining invisible to most traditional security solutions.
The research showed that popular tools like Falco and Tetragon are unable to detect activity based on io_uring. This is because these tools focus on intercepting system calls. As a result, such threats slip past their analysis systems. Even Falcon agent from CrowdStrike, initially not tracking io_uring-based operations, later received an update to address this flaw. However, according to ARMO, Microsoft Defender for Endpoint on Linux still cannot effectively detect such attacks, regardless of the mechanism involved.
This issue is not new. In 2023, Google acknowledged the dangers of io_uring, restricting its use in Android, ChromeOS, and server infrastructure. The company stated that this interface provides attackers with too powerful tools to exploit vulnerabilities.
ARMO emphasizes that most security solutions take a primitive approach to monitoring — they simply watch system calls, assuming they are the primary indicator of activity. But in modern conditions, this is no longer sufficient. The emergence of mechanisms like io_uring clearly demonstrates how easily traditional analysis tools can be bypassed.
The conclusion is clear — for effective protection, deeper monitoring mechanisms are required, ones that include analyzing the internal structures of the kernel and the logic of component interaction, not just superficial tracking of system calls. Otherwise, such rootkits will become increasingly sophisticated and harder to detect.
