Watch out for any Linux malware sneakily evading syscall-watching antivirus
(2025/04/29)
- Reference: 1745952715
- News link: https://www.theregister.co.uk/2025/04/29/linux_io_uring_security_flaw/
- Source link:
A proof-of-concept program has been released to demonstrate a so-called monitoring "blind spot" in how some Linux antivirus and other endpoint protection tools use the kernel's io_uring interface.
That [1]interface allows applications to make IO requests without using traditional system calls. That's a problem for security tools that rely on syscall monitoring to detect threats.
Rather than making a system call for each request, these operations – such as reading and writing files – are queued in ring buffers that the kernel rattles through and returns the results in separate buffers. Antivirus that watches syscalls for malicious activity may miss changes that are instead going through the io_uring queues.
[2]
To demonstrate this, security shop ARMO built a proof-of-concept named Curing that lives entirely through io_uring. Because it avoids system calls, the program apparently went undetected by tools including Falco, Tetragon, and Microsoft Defender in their default configurations. ARMO claimed this is a "major blind spot" in the Linux security stack.
[3]
[4]
The io_uring interface was introduced in Linux kernel version 5.1, released in [5]2019 . It was, technically speaking now, designed to enhance performance by enabling asynchronous I/O operations between user space and the Linux kernel through shared ring buffers. This architecture reduces the number of system calls required for I/O operations and minimizes the overhead associated with frequent transitions between user space and kernel space.
"Not many companies are using it but you don't need to be using it for an attacker to use it as enabled by default in most Linux systems, potentially tens of thousands of servers," ARMO's CEO Shauli Rozen told The Register . "If you're not using io_uring then disable it, but that's not always easy with cloud vendors."
[6]
While syscalls are required to set up io_uring buffers, these management calls look entirely innocent, and the actual malicious activity happens out of sight in the queues. You can see a demonstration of the code in the video below.
We guess antivirus could be updated to flag up any io_uring set-up as potentially harmful; or it could be updated to reach into the kernel, perhaps via eBPF, to monitor io_uring; or you could just switch off the feature if it's not needed.
[7]Youtube Video
[8]
"Many vendors take the most straightforward path: Hooking directly into system calls," [9]said Amit Schendel, head of security research at ARMO, in a write-up about the interface.
"While this approach offers quick visibility, it comes with limitations. Most notably, system calls aren't always guaranteed to be invoked. io_uring, which can bypass them entirely, is a positive and great example."
[10]Strap in, get ready for more Rust drivers in Linux kernel
[11]Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
[12]Get off that old Firefox by Friday or you'll be sorry, says Moz
[13]Chinese snoops use stealth RAT to backdoor US orgs – still active last week
We reached out to the antivirus vendors named in ARMO's report. Falco acknowledged the issue and said a fix is in the works. Tetragon claimed the attack is detectable, though not with the default settings most users rely on. As for Redmond:
Microsoft Defender has detections in place to detect and block this threat activity. As a security best practice, we encourage customers to enable always-on protection in Microsoft Defender, and to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files.
Meanwhile, over at Google, patience with io_uring ran out a while ago. In mid-2023, the tech giant [14]disabled it entirely in ChromeOS, restricted its use on Android via seccomp and SELinux policies, and removed it from production servers. The clampdown came after Google shelled out around [15]$1 million in bug bounties linked to io_uring flaws.
Of course, ARMO has also proposed ways to detect malware abusing io_uring. The code for Curing is [16]available on GitHub. ®
Get our [17]Tech Resources
[1] https://developers.redhat.com/articles/2023/04/12/why-you-should-use-iouring-network-io
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2019/03/07/raspberry_pi_3_model_a_support_to_arrive_in_linux_51/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.youtube.com/watch?v=oJ6VQO87MIY
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/
[10] https://www.theregister.com/2025/03/10/rust_drivers_expected_to_become/
[11] https://www.theregister.com/2025/03/12/patch_tuesday/
[12] https://www.theregister.com/2025/03/13/mozilla_certificate_update/
[13] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[14] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4228112
[15] https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
[16] https://github.com/armosec/curing
[17] https://whitepapers.theregister.com/
That [1]interface allows applications to make IO requests without using traditional system calls. That's a problem for security tools that rely on syscall monitoring to detect threats.
Rather than making a system call for each request, these operations – such as reading and writing files – are queued in ring buffers that the kernel rattles through and returns the results in separate buffers. Antivirus that watches syscalls for malicious activity may miss changes that are instead going through the io_uring queues.
[2]
To demonstrate this, security shop ARMO built a proof-of-concept named Curing that lives entirely through io_uring. Because it avoids system calls, the program apparently went undetected by tools including Falco, Tetragon, and Microsoft Defender in their default configurations. ARMO claimed this is a "major blind spot" in the Linux security stack.
[3]
[4]
The io_uring interface was introduced in Linux kernel version 5.1, released in [5]2019 . It was, technically speaking now, designed to enhance performance by enabling asynchronous I/O operations between user space and the Linux kernel through shared ring buffers. This architecture reduces the number of system calls required for I/O operations and minimizes the overhead associated with frequent transitions between user space and kernel space.
"Not many companies are using it but you don't need to be using it for an attacker to use it as enabled by default in most Linux systems, potentially tens of thousands of servers," ARMO's CEO Shauli Rozen told The Register . "If you're not using io_uring then disable it, but that's not always easy with cloud vendors."
[6]
While syscalls are required to set up io_uring buffers, these management calls look entirely innocent, and the actual malicious activity happens out of sight in the queues. You can see a demonstration of the code in the video below.
We guess antivirus could be updated to flag up any io_uring set-up as potentially harmful; or it could be updated to reach into the kernel, perhaps via eBPF, to monitor io_uring; or you could just switch off the feature if it's not needed.
[7]Youtube Video
[8]
"Many vendors take the most straightforward path: Hooking directly into system calls," [9]said Amit Schendel, head of security research at ARMO, in a write-up about the interface.
"While this approach offers quick visibility, it comes with limitations. Most notably, system calls aren't always guaranteed to be invoked. io_uring, which can bypass them entirely, is a positive and great example."
[10]Strap in, get ready for more Rust drivers in Linux kernel
[11]Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
[12]Get off that old Firefox by Friday or you'll be sorry, says Moz
[13]Chinese snoops use stealth RAT to backdoor US orgs – still active last week
We reached out to the antivirus vendors named in ARMO's report. Falco acknowledged the issue and said a fix is in the works. Tetragon claimed the attack is detectable, though not with the default settings most users rely on. As for Redmond:
Microsoft Defender has detections in place to detect and block this threat activity. As a security best practice, we encourage customers to enable always-on protection in Microsoft Defender, and to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files.
Meanwhile, over at Google, patience with io_uring ran out a while ago. In mid-2023, the tech giant [14]disabled it entirely in ChromeOS, restricted its use on Android via seccomp and SELinux policies, and removed it from production servers. The clampdown came after Google shelled out around [15]$1 million in bug bounties linked to io_uring flaws.
Of course, ARMO has also proposed ways to detect malware abusing io_uring. The code for Curing is [16]available on GitHub. ®
Get our [17]Tech Resources
[1] https://developers.redhat.com/articles/2023/04/12/why-you-should-use-iouring-network-io
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2019/03/07/raspberry_pi_3_model_a_support_to_arrive_in_linux_51/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.youtube.com/watch?v=oJ6VQO87MIY
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL6mbFpHz7u5rqzY-G7QAAAEQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/
[10] https://www.theregister.com/2025/03/10/rust_drivers_expected_to_become/
[11] https://www.theregister.com/2025/03/12/patch_tuesday/
[12] https://www.theregister.com/2025/03/13/mozilla_certificate_update/
[13] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[14] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4228112
[15] https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
[16] https://github.com/armosec/curing
[17] https://whitepapers.theregister.com/
Re: What a surprise
cyberdemon
> A tool specifically made to avoid syscalls, which just happen to be what AV tools are actively watching, is hijacked by miscreants for their own nefarious purposes.
There is no claim that this has been 'hijacked' by any 'miscreants', yet. It's just AFAICT the usual story of an AV/infosec outfit hyping a relative non-issue with a so-called PoC developed by themselves, for rep points
Rather than release a PoC that does not really constitute a vulnerability (the only 'concept' that it proves is that AV is fundamentally rather futile), a kernel PR would have been more welcome. Any would-be miscreant can take the PoC and perhaps evade detection, but then that is hardly the modern miscreant's primary concern
Once there is malware running on any system, AV or no AV you're 90% screwed anyway
Google search first two hits...
Jou (Mxyzptlk)
sysctl -w kernel.io_uring_disabled=2
Since kernel 6.6 it can be disabled easily, it can be tested easily. IMHO could have been within the article.
Re: SELinux
Grindslow_knoll
Little bit more digging, SL support for monitoring io_uring was added in 5.16 (2022) https://www.paul-moore.com/blog/d/2022/01/linux_v516.html
What a surprise
A tool specifically made to avoid syscalls, which just happen to be what AV tools are actively watching, is hijacked by miscreants for their own nefarious purposes.
I can't help but think that the guy who thought this up must be a serious expert on OSes in general, and on kernels in particular. You have to know the ins and outs of the inner workings of the entire OS stack and the particulars of how it all fits together to dream up a scheme like that and make it work for you.
What a shame that a mind like that decided to employ his formidable intellect for crime, instead of working with Torvalds or Cupertino or even Redmond and making a better world for everyone.