Bypass Linux EDRs: Using io_uring Rootkit for Stealth File Manipulation

Want to learn how a clever rootkit leverages io_uring to bypass security tools like Linux EDRs? This article explores Curing, a proof-of-concept rootkit, and demonstrates its potential to remain unseen by traditional monitoring systems.

What is Curing and Why Should You Care About io_uring?

Curing is a rootkit PoC that cleverly exploits the io_uring interface in Linux to perform actions without relying on direct system calls (syscalls). This makes it stealthier, as security tools that primarily monitor syscalls can miss its activity. The name "Curing" itself is a portmanteau of "C" and "io_uring," reflecting its core technology.

Key Takeaway:

• The effectiveness of Curing against many popular security solutions highlights the evolving threat landscape.

How Does The io_uring Rootkit Achieve Syscall Bypassing?

The secret lies in io_uring, a high-performance asynchronous I/O interface in the Linux kernel. Here's a breakdown:

• Client-Server Architecture: The Curing client connects to a C2 server, receiving commands to execute.
• io_uring for Command Execution: Instead of typical syscalls for tasks like reading/writing files or creating symbolic links, the client uses io_uring.
• Stealth Operations: By avoiding direct syscalls, the rootkit bypasses security tools focused on monitoring these calls.

Proof of Concept: Bypassing Falco using io_uring

A demonstration showcases Curing's ability to bypass Falco, a widely used open-source runtime security tool. The PoC includes the commands needed to build and run both the client and server components of Curing.

Actionable Insight:

• Review the Falco bypass demo to understand practical implications.

Proving Zero Syscalls (Almost)

While achieving 0 syscalls is technically impossible, Curing minimizes its reliance on attack-related syscalls. Tools like strace can be used to confirm that the rootkit mainly uses io_uring-related system calls rather than suspicious ones.

Important Note:

• The goal is to evade detection by avoiding syscalls associated with malicious activities.

What Can Curing Do? Features of the io_uring Rootkit

Curing is capable of a variety of actions. These include:

• Reading and writing files.
• Creating symbolic links.
• Establishing communication with a command-and-control (C2) server.
• Future possibilities include process execution.
• Any other potential feature leveraging io_uring.

io_uring Quick Start: Experimenting with the Technology in a Safe Environment

Want to get your hands dirty with io_uring? The project provides examples you can use to test and understand the technology better.

Requirements for Running Curing

To run Curing, you'll need:

• A Linux kernel version 5.1 or later.

Disclaimer: Use with Caution and Ethically

This project is intended for research and educational purposes only. Do not use it for malicious activities. The developers are not responsible for any misuse of this technology. The primary goal is to raise awareness of how io_uring can be leveraged to circumvent security measures relying on syscall monitoring in Linux EDRs and container security.