What occurred?
- On April twenty fourth, 2025, the safety firm ARMO launched an article describing the best way to use the io_uring system in Linux to bypass many Linux safety instruments.
- ARMO shared a proof-of-concept instrument referred to as “curing” to take advantage of the flaw, which permits some behaviors to go undetected by safety instruments.
- ARMO claimed this method impacts many present safety instruments, comparable to Crowdstrike, Microsoft Defender, Falco, and Tetragon.
How Sysdig and Falco customers are protected
- The Falco detection engine is versatile and permits writing a rule to detect io_uring exercise utilizing the io_uring_setup system name.
- A brand new Sysdig Safe rule, Suspicious io_uring Exercise Detected, was launched to Sysdig customers that detects suspicious use of io_uring.
- Falco is releasing new performance that detects operations initiated by io_uring.
Articles on-line have claimed this mechanism permits a person utility to carry out varied actions with out utilizing system calls, making system call-based instruments blind, however the utilization of io_uring as a detection bypass requires an attacker to first achieve entry to a system. The curing instrument doesn’t present root entry or cover assets.
As soon as entry is obtained by an exploit or misconfiguration, the malware or exploited course of should then name the io_uring system calls earlier than any probably nefarious exercise will go undetected. This gives an excellent alternative to detect the protection evasion earlier than it happens. Preliminary Entry after which Execution of their malicious code, in MITRE ATT&CK phrases, are conditions to have the ability to use io_ring for evasion.
What’s io_uring, and the way does it work?
io_uring is a Linux API that permits for asynchronous I/O with out going by conventional system calls. It must be famous that the io_uring calls are literally additionally system calls. io_uring applies to many system calls that contain enter and output, comparable to file and community operations. Through the use of io_uring, these system calls may be bypassed, which may trigger safety instruments to overlook these actions.
What io_uring can not do
io_uring doesn’t apply to actions comparable to course of execution. Any risk detections based mostly on course of execution and evaluation of the information related to processes (like their open file descriptors) will probably be unaffected by this protection evasion method. Since that is simply an evasion method, no recordsdata or processes are hidden utilizing io_uring. System utilities will nonetheless function usually. FANOTIFY, which is a callback system for file operations typically used for File Integrity Monitoring, can be unaffected by way of io_uring.
Most containerized workloads will not be affected by this evasion method, because the default seccomp profile disables the utilization of io_uring altogether (e.g., Docker). Take into account including the io_uring system name to your seccomp profile (if it’s not already blocked by the default one) with warning, this is able to be the most effective strategy to make certain the evasion method received’t work. Earlier than including to the profile, make sure that the system name isn’t utilized by respectable processes.
Easy methods to detect io_uring evasion
Using io_uring calls will not be quite common, so now we have launched a brand new rule, Suspicious io_uring Exercise Detected, to the Sysdig Runtime Notable Occasions managed coverage. This rule detects irregular packages making io_uring calls.
Sysdig clients are protected in opposition to an io_uring evasion
Our layered strategy to risk detection means we cowl totally different phases of an assault:
- Sysdig Safe’s Malware Detection coverage is unaffected by this safety bypass and curing because it makes use of FANOTIFY to detect file operations. Our malware hashes and Yara guidelines will function usually.
- In case your containers have io_uring enabled, Sysdig’s Container Drift coverage will nonetheless detect new executables because it additionally makes use of FANOTIFY.
- If this evasion method is utilized in your atmosphere, among the current guidelines that depend on system requires file or community operations will probably be affected.
Falco will probably be releasing enhancements through the week of April twenty eighth, 2025 that may add native performance to watch file and community operations that happen by io_uring. This function will use Kernel Runtime Safety Instrumentation to supply visibility for this evasion method.
Count on an announcement from the Falco group very quickly. We are going to replace this house when it’s printed.
Conclusion
Abusing io_uring can enable malware to bypass among the detection that Linux safety distributors use. A layered protection technique, comparable to not counting on a single technique of detection, helps mitigate this threat. Sysdig Safe now has a rule that may detect this protection evasion, and Falco will quickly be capable to see by io_uring and detect any threats utilizing the method printed by ARMO.
