Just watching syscalls misses io_uring interface to the kernel allowing malware to go undetected.
On the news I missed front:
https://www.theregister.com/2025/04/29/linux_io_uring_security_flaw/
PoC Code:
https://github.com/armosec/curing
The article mentions a couple of endpoint detection & prevention tools, but not giant #crowdstrike
Interested to see if CrowdStrike watches io_uring calls. (I bet it will now.)
Rootkits invisibles: el nuevo desafío para las herramientas de seguridad en Linux #io_uring #seguridad #linux https://blog.desdelinux.net/rootkits-invisibles-el-nuevo-desafio-para-las-herramientas-de-seguridad-en-linux/
Whoa, hold up! There's a new Linux rootkit dubbed "Curing" out in the wild, and it's got a nasty trick: leveraging `io_uring` to slip right past traditional security tools. Why? Because most of those tools are laser-focused on system calls... which `io_uring` can bypass.
So, what's the deal with `io_uring`? Picture an application chatting directly with the kernel, essentially skipping the front desk where system calls usually check-in. "Curing" exploits this direct line for its command-and-control communication, leaving *none* of the usual suspicious system call footprints. Talk about stealth mode! And heads up – Google has actually been warning about the potential risks here for some time.
Speaking from a pentester's perspective, this is yet another stark reminder: just relying on "basic" security isn't going to cut it. We really need to dive deeper, get our hands dirty with kernel-level analysis and understanding. Let's be clear: running automated scans is *not* the same as a thorough penetration test!
What about you? Are you utilizing `io_uring` in your environment? What kind of security measures have you put in place around it? Seriously curious – how do you see kernel security evolving from here? Let's discuss!
Do any operating systems other than #Linux (#Windows, #macOS, #FreeBSD, #OpenBSD, etc) have an API for non-blocking file IO?
I know Linux has that in #io_uring, which can do almost any IO operation (even fsync) in the background and tell you when it's done, but is that the only OS with such a feature?
HAPPY 18TH BIRTHDAY #VarnishCache ! To celebrate this memorable occasion, we have just tagged Version 1.0.0-rc1 of https://gitlab.com/uplex/varnish/slash, which contains fellow, our advanced, #io_uring based, high performance, eventually persistent, always consistent #opensource storage engine.
Read the full announcement: https://varnish-cache.org/lists/pipermail/varnish-announce/2024-February/000762.html
And the changelog: https://gitlab.com/uplex/varnish/slash/-/blob/master/CHANGES.rst?ref_type=heads