Cybersecurity researchers demonstrated proof of concept (POC) Rortkit, called Cure Using asynchronous I/Output Linux io_uring bypass traditional monitoring of system calls.
This causes “the main blind place in the Linux safety tools,” Arma said.
“This mechanism allows the user to perform different actions without using system calls,” the company – Note In a report that shared with Hacker News. “As a result, safety tools that rely on system call monitoring, blind” for Rotkits that work solely on io_ring “.
io_uring, by -first introduce In Linux Kernel version 5.1 in March 2019 is the system of Linux kernel interface that hire Two round buffers called the turn of submission (SQ) and the completion queue between the nucleus and the application (ie the user space) for tracking the submission and completion of the input/Osynchronous input requests.
Rootkit, developed by ARMO, facilitates the link between the team server and control (C2), and the infected host to obtain teams and execute them without making any system calls relevant to its activities, instead of using io_ring to achieve the same goals.
https://www.youtube.com/watch?v=oj6vqo87mi
ARMO analysis on the currently available Linux Runnewation tools have shown that both Phallus and Four Due to the fact that they are heavily dependent on the fact that they are heavily dependent on the system call connection.
The Falcon Crowdstrike agent, which also failed to submit operations on the system performed by io_urune, has since rolled out the correction for this issue. However, it is said that Microsoft Defender for the final point on Linux lacks opportunities to detect different types of threats, regardless of whether io_ring was used.
The risks provided by io_urune have been known for a while. In June 2023 Google disclosed What he decided to restrict the use of Linux kernel interface in Android, Chromeos and its production servers as “provides strong exploitation”.
“On the one hand, you need visibility in system calls; on the other, you need access to the kernel structures and sufficient context for effective threats,” said AMIT SEENDEL, Head of the ARMO security.
“Many suppliers go the simplest way: connecting directly to system calls. Although this approach offers rapid visibility, it comes with restrictions. First of all, system calls will not always be caused. Io_uring, which can completely bypass them, is a positive and great example.”
