Linux 'io_uring' security blindspot allows stealthy rootkit attacks

A significant security gap in Linux runtime security caused by the 'io_uring' interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software. The flaw was discovered by ARMO security researchers who developed a proof-of-concept rootkit called "Curing" to demonstrate the practicality and feasibility of attacks leveraging io_uring for evasion. io_uring is a Linux kernel interface for efficient, asynchronous I/O operations. It was introduced in 2019 with Linux 5.1 to address performance and scalability issues with the traditional I/O system. Instead of relying on system calls that cause a lot of overhead and process hangs, io_uring uses ring buffers shared between programs and the system kernel to queue up I/O requests that will be processed asynchronously, allowing the program to keep running. io_uring task submission and completion rings Source: Donald Hunter The problem, according to ARMO, arises from the fact that most security t ... Read full article.