Security researchers at ARMO have uncovered a significant vulnerability in Linux runtime security tools that stems from the io_uring interface, an asynchronous I/O mechanism that can completely bypass traditional system call monitoring. The research demonstrates how attackers can exploit this blind spot to operate undetected by most existing security solutions.
The team developed a proof-of-concept rootkit called “Curing” that operates entirely through io_uring operations, successfully evading detection by major security tool, including Falco, Microsoft Defender for Endpoint on Linux, and requiring specialized configuration for tools like Tetragon. The rootkit demonstrates full command-and-control functionality without making any traditional system calls that security tools typically monitor.
we presented our research on how to effectively bypass Linux runtime detection tools. This research is relevant to any Linux environment, especially in the modern cloud-native environments
The io_uring interface, introduced in Linux kernel 5.1, was designed to provide high-performance asynchronous I/O through shared ring buffers between user space and kernel space. Unlike traditional Unix I/O operations that rely on system calls, io_uring uses these ring buffers as the primary communication mechanism, effectively creating an alternative pathway that bypasses conventional monitoring approaches.
The research builds upon earlier work by Daniel Teixeira, who first demonstrated the evasion potential of io_uring in 2022, but ARMO’s team has now created the first fully functional rootkit to prove the practical threat. The io_uring interface currently supports 61 different operations, including critical network and file system functions that would typically trigger security alerts.
Testing revealed widespread vulnerabilities across both open-source and commercial security solutions. Falco, a CNCF graduated project widely used for runtime security monitoring, proved completely ineffective against io_uring-based operations due to its reliance on system call hooking. The Falco maintainers have acknowledged the issue and are working on LSM-based plugins to address the gap. Microsoft Defender for Endpoint on Linux showed similar blind spots, failing to detect various malicious activities, including sensitive file access, malware deployment, and cryptocurrency mining operations when executed through io_uring. The researchers noted that only the File Integrity Monitoring module, which likely uses Fanotify hooks, provided any detection capability.
The research exposes fundamental limitations in current eBPF-based security approaches that many vendors have adopted. While eBPF offers performance and safety advantages for building security agents, its verifier constraints often push vendors toward the simplest implementation approach of hooking directly into system calls.
This straightforward method provides quick visibility but assumes system calls will always be invoked for security-relevant operations. The io_uring bypass demonstrates that this assumption is increasingly unreliable as kernel interfaces evolve. The researchers emphasize that security vendors need to move beyond simple syscall monitoring to remain effective against modern evasion techniques.
ARMO’s research identifies several approaches for detecting io_uring-based attacks. The most promising long-term solution involves implementing KRSI (Kernel Runtime Security Instrumentation), which builds on the Linux Security Module framework to provide more reliable coverage through LSM hooks rather than syscall monitoring.
Alternative detection strategies include monitoring for anomalous io_uring usage patterns, since most legitimate applications don’t typically use this interface. However, this approach requires careful implementation to avoid false positives in dynamic environments. Security teams can also identify alternative hook points across the kernel stack, though this requires deeper kernel internals expertise. The researchers also suggest following the Windows security model, where Microsoft moved away from unreliable SSDT hooking toward structured notification routines that guarantee callback execution. Linux’s KRSI represents a similar evolution, providing more consistent security event coverage that’s harder to bypass through creative syscall avoidance.
This vulnerability has particular significance for cloud-native environments where Linux forms the foundation of containerized infrastructure. The widespread deployment of container orchestration platforms and microservices architectures means that a single security blind spot can have cascading effects across entire deployments. The research underscores the need for security solutions to be forward-compatible with evolving kernel features rather than relying on legacy monitoring approaches. As kernel interfaces continue to expand with new asynchronous mechanisms and performance optimizations, security tools that fail to adapt will leave increasingly large gaps in protection.
