The root grabs a stronghold on the penguin

A new proof-of-concept rootkit called Curing has exposed a significant blind spot in Linux security—an evasion technique that allows attackers to operate undetected within critical systems. Curing leverages io_uring, a Linux asynchronous I/O mechanism, to bypass detection methods that rely on system call monitoring. The result is a stealthy mechanism that triggers no system calls, raises no flags, and activates no alarms. Although initially presented as a proof of concept, Curing stands as a serious warning about the risks and vulnerabilities present in modern Linux runtime defenses.

This development underlines not only the ingenuity of current attack strategies but also the urgency of reevaluating traditional defense assumptions. In environments where performance optimization features are prioritized, the very mechanisms designed to increase efficiency may end up widening the attack surface.

Hitting where detection doesn’t look

The problem is not rooted in the Linux systems themselves but in the defensive tools deployed to protect them. Most Linux runtime security solutions, including well-known tools such as Falco and Tetragon, rely heavily on monitoring system calls, assuming these to be the primary gateway for malicious activity. However, io_uring, introduced in Linux kernel version 5.1, enables user-space applications to perform asynchronous I/O operations directly through shared ring buffers with the kernel. This mechanism allows actions to occur without invoking traditional system calls.

This feature is precisely what makes Curing such a dangerous concept. The attack surface includes Linux servers operating within sensitive environments where io_uring is often used to boost performance. These environments include cloud workloads, containerized infrastructures, CI/CD pipelines, and production servers. Their critical function makes them attractive targets for attackers seeking stealth, persistence, and deep control over business operations.

Bypassing the eyes

Curing exploits io_uring’s asynchronous architecture to execute commands and maintain communication with its command-and-control server without generating system calls. This design allows the rootkit to bypass syscall-dependent detection tools such as Falco and Tetragon entirely.

Through this approach, attackers may quietly exfiltrate valuable data, including configuration files, access credentials and tokens, SSH private keys, environment variables, database access keys, source code, and pipeline secrets. The stealth provided by io_uring enables the attacker to maintain a silent foothold within compromised systems, fetching commands, executing payloads, and extracting sensitive information without raising suspicion.

Closing the blind spot

• Expand detection beyond system calls to include kernel structures and user-kernel interactions.

• Monitor io_uring queues and asynchronous I/O activities.

• Apply kernel hardening strategies to reduce exploitation opportunities.

• Restrict or disable io_uring where not strictly necessary.

• Enforce strict runtime policies and least privilege access controls.

• Regularly audit and test detection tools for coverage against non-syscall-based threats.

• Monitor for unusual behaviors, such as unexpected process activity or abnormal I/O patterns.

• Stay informed about emerging Linux kernel exploitation techniques and update defenses accordingly.

https://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html