Do Son 
Cybersecurity researchers have uncovered a vulnerability in current Linux security monitoring approaches, revealing a novel method of stealthy interference through the exploitation of the io_uring mechanism. The core issue lies in the fact that many security solutions rely heavily on system call monitoring, yet io_uring enables operations to be executed while bypassing traditional system calls, thus creating a perilous blind spot.
The discovery centers around a proof-of-concept rootkit named Curing, developed by the ARMO team. This rootkit leverages io_uring—a Linux kernel interface introduced in version 5.1 in March 2019—designed for asynchronous I/O operations between user space and the kernel, using two ring buffers: the submission queue and the completion queue. By directly interacting with these structures, the rootkit is able to receive commands from a command-and-control (C2) server and execute them without generating a single system call, thereby evading detection by most conventional security mechanisms.
The research revealed that widely used tools such as Falco and Tetragon are unable to detect activity based on io_uring, as they rely primarily on intercepting system calls. As a result, threats exploiting this mechanism can slip past their analytic defenses unnoticed. Even CrowdStrike’s Falcon agent, which initially lacked monitoring capabilities for io_uring operations, required subsequent updates to address this shortfall. Nevertheless, according to ARMO, Microsoft Defender for Endpoint on Linux still struggles to effectively detect such attacks, regardless of the mechanism employed.
This concern is not new. As early as 2023, Google acknowledged the risks posed by io_uring, limiting its use across Android, ChromeOS, and its server infrastructure. At the time, Google representatives warned that the interface granted attackers dangerously potent tools for vulnerability exploitation.
ARMO emphasizes that the monitoring approaches of most security solutions remain rudimentary, focusing solely on system call interception as the primary indicator of activity. Yet, in today’s landscape, this is no longer sufficient. The emergence of mechanisms like io_uring vividly illustrates how easily traditional analytic methods can be circumvented.
The conclusion is clear: to ensure effective protection, security frameworks must adopt deeper behavioral monitoring techniques—analyzing the internal structures of the kernel and the interaction logic between system components—rather than relying solely on superficial system call tracing. Without such advancements, rootkits like Curing will continue to grow more sophisticated and elusive.
