io_uring based rootkit can bypass syscall-focused Linux security tools

ARMO researchers reveal a major blind spot in Linux runtime security tools caused by the io_uring interface—an asynchronous I/O mechanism that bypasses traditional system calls. Most tools, including Falco, Tetragon, and Microsoft Defender fail to detect rootkits using io_uring because they rely on syscall monitoring. ARMO’s proof-of-concept rootkit, Curing, operates fully via io_uring to demonstrate the threat. While some vendors responded with fixes or workarounds, the broader industry remains exposed. Intro io_uring has been around for years since Linux 5.1, since then, it has been notorious in Linux security circles for the sheer number of vulnerabilities in this mechanism. In this blog, we will explore how io_uring can also be used as an evasion technique that affects most Linux runtime security tools today. We will showcase ARMO’s research around this mechanism and its wide impact on the Linux security domain. Background Two years ago, our team at ARMO conducted research on ... Read full article.