ARMO: Impact of the io_uring Interface on Linux Security
Security experts at ARMO have uncovered a critical vulnerability within the Linux operating system, creating a significant gap in runtime security.
Security experts at ARMO have uncovered a critical vulnerability within the Linux operating system, creating a significant gap in runtime security. They have developed a proof-of-concept rootkit named “Curing” that exploits the io_uring interface, enabling malicious activities to evade traditional system call monitoring tools.
The io_uring interface, introduced in Linux 5.1, allows applications to execute actions asynchronously without relying on system calls, making it challenging for security tools to detect rootkits operating solely through this mechanism. According to Amit Schendel, head of security research at ARMO, this vulnerability poses a major threat to Linux runtime security.
Established in 2018, ARMO gained recognition for its security tool Kubescape, designed to enhance security in Kubernetes environments.
A Vulnerable Component
Security researcher Amit Schendel highlights that the io_uring interface, existing since the release of Linux 5.1 in 2019, has been associated with numerous vulnerabilities within the Linux security community.
Two years ago, ARMO researchers delved into bypassing eBPF-based monitoring tools after reading a blog post discussing the exploitation of io_uring to evade system call monitoring on Linux systems. Their exploration of io_uring at a recent hacker event revealed the severity of the vulnerability, prompting the development of the Curing rootkit.
Described as an API specific to the Linux kernel for asynchronous I/O operations, io_uring facilitates non-blocking I/O requests transferred between user and kernel spaces through ring buffers. This unique architecture enhances I/O efficiency while reducing buffer copying overhead compared to conventional UNIX-style I/O APIs.
Neglected and Disregarded
Despite reports on the potential exploitation of io_uring to bypass security mechanisms, many cybersecurity vendors have overlooked addressing this vulnerability. Schendel emphasizes the need for monitoring solutions to adapt to new Linux kernel features and counter tactics employed by malicious actors.
ARMO researchers designed the Curing rootkit to shed light on the risks associated with io_uring, an underexplored mechanism susceptible to exploitation by threat actors. They stress that security vendors must move beyond conventional approaches and develop robust solutions capable of combating evolving threats across various applications and kernel features.
With over 61 vulnerable operations utilizing io_uring, including network and file system activities, threat groups can leverage this vulnerability for malicious purposes. ARMO researchers substantiated this risk by creating the Curing rootkit, demonstrating the execution of operations without triggering system calls, thereby illustrating the breadth of potential exploits.
Challenges in Detection
During their evaluation, ARMO researchers tested the Curing rootkit against several runtime security tools for Linux, such as Falco and Tetragon, both sponsored by the Cloud Native Computing Foundation. These tools proved ineffective in detecting io_uring-based operations due to their reliance on system call hooking.
Moreover, assessments conducted with CrowdStrike’s Falcon agent and Microsoft Defender for Endpoints revealed significant gaps in detecting file system operations and other threats associated with io_uring exploitation. The limitations of existing security products underscore the critical need to enhance detection capabilities and address vulnerabilities inherent in io_uring.
Action by Google
In 2023, Google acknowledged the prevalence of io_uring vulnerabilities in its Vulnerability Rewards Program, where 60% of submissions exploited this vulnerability. As a response, Google disabled io_uring on ChromeOS, production servers, and restricted its usage on Android devices to mitigate potential risks.
ARMO researchers assert that their findings on io_uring exploitation are pertinent to the broader Linux ecosystem, particularly in modern cloud-native environments. Existing security tools must acknowledge the blind spot created by the io_uring mechanism and adapt their strategies to safeguard Linux environments effectively.
About Author
