Cybersecurity researchers at ARMO, a cloud security company, have uncovered a significant blind spot in many Linux runtime security tools, rooted in a lesser-known kernel feature called io_uring. Originally designed to improve performance, this interface is now being leveraged in ways that can bypass traditional detection mechanisms used by endpoint protection tools.
What is io_uring?
io_uring is a Linux kernel system call interface designed for asynchronous I/O (input/output) operations, specifically targeting storage devices. It aims to address performance limitations seen in older I/O interfaces like read/write or aio_read/aio_write. By allowing programs to handle multiple I/O tasks without waiting for each one to finish, io_uring boosts efficiency, particularly for applications that involve heavy data reading and writing.
It was introduced in Linux kernel version 5.1 to provide faster and more efficient I/O operations. Unlike conventional methods that depend on system calls to communicate between user space and the kernel, io_uring uses shared ring buffers.
This design reduces overhead but also creates a detection gap, since many security tools rely on direct system call monitoring to spot suspicious activity.
Proof of Concept
To demonstrate the risk, ARMO in their research created a POC (proof-of-concept) rootkit named Curing. This rootkit performs all its operations through io_uring, effectively bypassing system call hooks entirely. During testing, multiple popular runtime security tools—both open source and commercial—did not detect the malicious behavior.
With the broad functionality io_uring supports, including file operations, network access, and inter-process communication, it potentially allows stealthy, fully functioning malware to fly under the radar of traditional monitoring checks and approaches.
The implications can stretch far beyond demonstration. Linux underpins the modern cloud ecosystem, powering everything from containers and web servers to critical infrastructure.
According to W3Techs, a technology survey website, Linux is powering over half of all the websites on the web. If attackers can use interfaces like io_uring to quietly carry out actions without being noticed, organizations of all sizes are potentially at risk.
Security strategies that rely on syscall visibility alone may no longer be sufficient. Many current Linux security tools, particularly those built around eBPF (Extended Berkeley Packet Filter), assume that most meaningful activity will involve system calls.
One area gaining attention is KRSI (Kernel Runtime Security Instrumentation), a Linux feature that allows eBPF programs to attach directly to internal kernel events using the LSM (Linux Security Module) framework. This offers more reliable and in-depth coverage than syscall tracing and may represent a more future-ready approach to runtime monitoring. But adoption of KRSI is still limited, and not all Linux variants and distributions have it enabled by default.
As the Linux kernel continues to evolve, so too must the tools built to secure it. The research shows the need for more adaptive and kernel-aware detection methods, not just surface-level hooks as kernel features grow more complex, and performance-focused mechanisms like io_uring become more common,
Learn more about ARMO’s security report and their replication findings on their website here.
Leave a Reply