Curing Rootkit Exploits io_uring to Evade Linux Security Tools
A newly revealed proof-of-concept (PoC) rootkit named Curing is sparking concern in the Linux security community. Developed by cybersecurity researchers at ARMO, Curing leverages the io_uring asynchronous I/O interface to bypass traditional system call monitoring. As a result, it can escape detection by many runtime security tools.
What is io_uring?
First introduced in Linux kernel 5.1 (March 2019), io_uring is a system call interface that enhances I/O performance. It uses two ring buffers — a submission queue (SQ) and a completion queue (CQ) — to manage I/O requests between user space and the kernel asynchronously. This setup improves efficiency by reducing overhead.
However, the same feature that boosts performance can also be misused. Attackers now see it as a potential loophole.
A Dangerous Blind Spot in Linux Security
According to ARMO, the io_uring interface allows user-space applications to perform actions without making traditional system calls. This presents a major issue for Linux runtime security tools that rely heavily on system call monitoring.
“This mechanism allows a user application to perform various actions without using system calls,” ARMO noted. “As a result, security tools relying on system call monitoring are blind to rootkits working solely on io_uring.”
The Curing rootkit exploits this blind spot. It communicates with a command-and-control (C2) server and executes instructions on the infected system. Critically, it does so without generating system calls that might otherwise trigger alerts. Instead, it uses only io_uring to carry out its operations.
Why This Threat Matters
This method introduces a significant challenge for current Linux defenses. Many tools still depend on monitoring system calls to detect threats. However, if those calls are never made, these tools fail to notice the attack.
Therefore, the existence of Curing is a wake-up call. It shows that attackers are adapting quickly and finding new ways to stay hidden.
Strengthening Linux Security Moving Forward
To counter this threat, security tools must evolve. It’s no longer enough to rely on system call monitoring alone. Solutions should also include deeper inspection of kernel interfaces like io_uring.
Technologies such as eBPF can help improve visibility into kernel behavior. Additionally, combining system call tracking with behavioral analytics may reveal suspicious activity that would otherwise go unnoticed.
In conclusion, while io_uring improves performance, it also opens the door to advanced threats. The security community must now close that door before it becomes a favorite tool of real-world attackers.
Click below and ‘share’ this article!