Cybersecurity researchers have unveiled a new Linux rootkit called Curing, which uses the io_uring interface to remain undetected. This rootkit communicates with a remote server and executes commands without relying on standard system calls. Traditional tools like Falco and Tetragon fail to detect Curing because they depend entirely on system call monitoring. The rootkit’s stealth poses a major challenge to Linux runtime security tools widely used in enterprise environments.
The io_uring interface, introduced in Linux kernel version 5.1, allows asynchronous I/O operations using two circular kernel buffers.
These buffers, known as the submission queue and completion queue, facilitate fast communication between user space and kernel. Using io_uring, applications can perform actions without invoking conventional system calls that are usually monitored. This makes io_uring attractive for both legitimate performance improvements and malicious activities seeking to avoid detection.
ARMO researchers highlighted that many Linux security tools rely solely on system call hooking to detect suspicious behavior. Because Curing avoids these calls, the rootkit is invisible to most existing detection and monitoring solutions. The researchers warn this creates a significant blind spot that attackers can exploit using modern kernel features.
This has led experts to call for new security models beyond system call interception alone.
Google previously flagged io_uring as risky and limited its use across Android, ChromeOS, and internal systems in 2023. They noted that io_uring provides powerful primitives that are useful but also dangerously exploitable by attackers. ARMO’s Amit Schendel emphasized the need for broader kernel visibility to detect sophisticated threats using newer techniques. He warned that relying only on system calls is insufficient as attackers adopt more advanced and covert strategies.
