Cybersecurity researchers have demonstrated a proof-of-concept (POC) rootkit called Curing, which utilizes a Linux asynchronous I/O mechanism called IO_IRING to bypass traditional system call monitoring.
This creates “major blind spots for Linux runtime security tools,” Armo said.
“This mechanism allows user applications to perform a variety of actions without using system calls,” the company said in a report shared with Hacker News. “As a result, security tools that rely on system call monitoring are blind to “RootKits that only work with IO_IRING.” ”
First introduced in March 2019 in Linux kernel version 5.1, IO_URING uses two circular buffers (CQ) to track Asynchronous Mann submissions and I/O requests using two circular buffers called submissions (SQ) and completion queues (CQ) between skin and applications, and two circular buffers called completion queues (CQ).
Devised by ARMO, RootKit facilitates communication between a Command and Control (C2) server and an infected host, obtains commands and runs without running them, without running them.
An analysis of Armo, a currently available Linux runtime security tool, reveals that both Falco and Tetragon are blinding IO_URING-based operations due to the fact that they rely heavily on system call hooks.
CrowdStrike’s Falcon agent, which did not submit a system operation performed using IO_URING, deployed a fix for that issue. However, it is said that Microsoft Defender on Linux’s endpoints does not have the ability to detect different types of threats, regardless of whether IO_URING was used or not.
The security risks raised by IO_IRING have been known for some time. In June 2023, Google revealed that it had decided to “provide powerful exploitation primitives” using the Linux kernel interface across Android, Chromeos, and its production servers.
“On the one hand, you need visibility into system calls, and on the other hand, you need to have enough context access to effectively detect threats.”
“Many vendors get the easiest path. They connect directly to the system call. This approach has quick visibility, but there are limitations. Most notably, they don’t guarantee that the system call is always invoked.
Source link
