PoC Rootkit Curing Evades Traditional Linux Detection Systems
Researchers have created a proof-of-concept (PoC) rootkit called Curing that uses Linux's io_uring feature to evade traditional system call monitoring, raising concerns about the security of current Linux detection systems.
The Concept Behind Curing
Curing is a PoC rootkit designed to demonstrate the potential risks associated with using Linux's asynchronous I/O mechanism, io_uring. The project was born at the latest CCC conference (#38c3) and is named after its creators' love for both 'C' programming language and io_uring.
How Curing Works
Curing relies on io_uring to perform various tasks without relying on traditional system calls. By using shared ring buffers between the user space and kernel space, applications can execute actions without making any system calls, rendering syscall-based security tools ineffective. This feature was introduced in the Linux kernel version 5.1 in March 2019.
The Impact of Curing
The rootkit demonstrates communication between a Command and Control (C2) server and an infected host to pull commands and execute them without making any system calls relevant to its operations. This highlights the potential for malicious actors to use io_uring-based systems to bypass traditional security tools.
Testing Curing Against Popular Security Tools
The researchers tested Curing against several popular security tools, including Linux EDR solutions, container security tools, and even Microsoft Defender. While some of these tools were able to detect certain malicious activities, others proved blind or vulnerable to the rootkit's tactics.
Challenges for Traditional Security Solutions
The researchers speculate that many Linux EDRs are not equipped to monitor io_uring-based activity, making it difficult to detect and prevent such attacks. This raises concerns about the efficacy of traditional security solutions in protecting against io_uring-based rootkits.
A Shift Towards eBPF-Based Agents
The report concludes that many commercial vendors are shifting towards building eBPF-based agents due to their perceived safety for use in EDR and CWPP products. However, this shift also brings inherent challenges and constraints, particularly with regards to the verifier's strict limitations on what code can be safely loaded.
Conclusion
In conclusion, Curing highlights the potential risks associated with using io_uring-based systems to evade traditional security tools. As the Linux ecosystem continues to evolve, it is essential for security vendors to adapt and develop effective countermeasures against such threats.
Stay informed about the latest cybersecurity threats by following me on Twitter: @securityaffairs, Facebook, and Mastodon.
---
Note: The rewritten article maintains the original content's structure and information while presenting it in a more detailed and engaging way using HTML paragraphs.