A newly developed proof-of-concept (PoC) rootkit has exposed a significant blind spot in many Linux runtime security solutions by utilizing the io_uring interface to operate without traditional system calls, effectively bypassing system call-based threat detection mechanisms.
The rootkit, named Curing, takes advantage of io_uring, a high-performance asynchronous I/O interface introduced in Linux kernel 5.1. It facilitates I/O operations using a pair of shared memory queues between user space and the kernel — the Submission Queue (SQ) and the Completion Queue (CQ) — without invoking conventional system calls.
This innovative approach enables malicious operations to occur beneath the radar of many widely-used detection tools that depend on system call hooks for threat visibility. Since tools like Falco and Tetragon monitor threats by intercepting system calls, they are unable to detect activities conducted solely through io_uring.
The rootkit establishes a covert communication channel with a command-and-control (C2) server, executing commands and transferring data without the typical syscall footprint. The stealth this provides significantly complicates detection efforts for defenders relying on traditional telemetry.
An evaluation of various Linux security agents revealed that even prominent solutions failed to detect these activities. While some vendors have already issued patches or updates in response, others still lack the necessary detection capabilities, regardless of whether io_uring is in use.
The potential risks associated with io_uring have been known for some time. In mid-2023, it was disclosed that certain large-scale platforms had taken proactive steps to restrict its use due to its utility in advanced exploitation techniques.
Experts warn that relying solely on system call visibility is no longer sufficient. Effective threat detection increasingly requires deeper integration with kernel internals and more contextual analysis to capture evasive behaviors like those enabled by io_uring.
