ARMO: io_uring Interface Creates Security ‘Blind Spot’ in Linux
Researchers with cybersecurity firm ARMO built a proof-of-concept (POC) rootkit that bypasses system calls in Linux and creates a “major blind spot” in runtime security tools for the open operating system.
The rootkit, which they dubbed “Curing,” exploits the io_uring interface, an asynchronous I/O mechanism that allows a user application to perform actions without using system calls, so they bypass traditional system call monitoring tools.
“As a result, security tools relying on system call monitoring are ‘blind, to rootkits working solely on io_uring,” Amit Schendel, head of security research at the Israeli company, wrote in a report. “Bottom line: There is a massive security loophole in Linux runtime security.”
ARMO launched in 2018 and built its name with an open security tool for Kubernetes called Kubescape,
A Vulnerable Interface
According to Schendel, io_uring has been around for years since Linux 5.1 was released in 2019, and “since then, it has been notorious in Linux security circles for the sheer number of vulnerabilities in this mechanism.”
ARMO researchers two years ago were researching tactics for bypassing eBPF-based monitoring tools and read a blog post by a security analyst with payment technology company Form3 about how io_uring can be exploited to bypass system call monitoring on Linux-based systems. At a recent Chaos Communication Congress hacker event, they decided to dive deeper into io_uring, which “led us to understand how serious the situation is,” Schendel wrote.
He described io_uring as an API specific to the Linux kernel and used for asynchronous I/O. It lets users submit one or more I/O requests that are processed asynchronously without blocking the calling process and its name comes from ring buffers, which are shared between user and kernel spaces.
“This arrangement allows for efficient I/O, while avoiding the overhead of copying buffers between them, where possible,” Schendel wrote. “This interface makes io_uring different from other UNIX-style I/O APIs, wherein, rather than just communicating between kernel and user space with system calls, ring buffers are used as the primary mode of communication.”
Overlooked and Ignored
The ARMO researchers developed the Curing rootkit to highlight the risk of io_uring, which he called an “overlooked mechanism that attackers can exploit” and that many cybersecurity vendors – despite reports of how the technique can be used to bypass detection mechanisms – haven’t addressed.
Monitoring solutions should be compatible with new features in the Linux kernel and address tactics used by bad actors, Schendel wrote, adding that instead, “vendors continue to rely on easy and straightforward solutions that are not immune to changes and diversity of applications and kernel features.”
There at least 61 operations using io_uring that include network and file system operations, making them vulnerable to threat groups. ARMO researchers decided to move the threat from theoretical to real, created the Curing rootkit that exploits io_uring for all of its operations.
“The rootkit demonstrates communication between a C2 server and an infected host to pull commands and execute them without making any system calls relevant to its operations,” Schendel wrote. “The main idea was to show that io_uring allows so many important operations that you can write an entire rootkit on top of.”
Failing the Tests
They tested the rootkit out on a range of runtime security tools for Linux, including two Cloud Native Computing Foundation (CNCF) projects, Falco and Tetragon. Both are essentially blind to io_uring-based operations because they rely heavily on a technique called system call hooking.
They also tested it out with Microsoft Defender for Endpoints, writing that “like several other security products we evaluated, Microsoft Defender for Endpoint on Linux currently lacks comprehensive visibility into various types of threats.”
Those threats included reading sensitive files, dropping the EICAR test malware, executing the XMRig crypto miner, and contacting a low-reputation network endpoints.
Google Put Aside io_uring
Google wrote in 2023 that three years earlier it had put kCTF into its Vulnerability Rewards Program for researchers who were testing the security of its Google Kubernetes Engine and the Linux kernel it relied on. kCTF is a template used to deploy tasks using Kubernetes. Google found that 60% of submissions to the program exploited io_uring and that io_uring vulnerabilities were used in all submissions that bypassed Google’s mitigations.
As a result, Google disabled io_uring in ChromeOS and on production Google servers and limited its use on Android devices.
The ARMO researchers wrote that their work developing Curing “is relevant to any Linux environment especially in the modern cloud-native environments. The io_uring mechanism, present in Linux since version 5.1, creates a dangerous blind spot that most security tools don’t look at.”
