io_uring based rootkit can bypass syscall-focused Linux security tools

https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security

39•hexhu•9mo ago

Comments

arghwhat•9mo ago

The title is somewhat misleading, as it suggests an io_uring issue when there is none - it's just that anti-virus solutions like Microsoft Defender try to monitor syscalls but don't monitor io_uring.

They're far from guaranteed to catch things they monitor anyway, and I feel they mostly just exist to let enterprise pretend they care about security by buying ineffective band aids and duct tape. I guess a legal defense is more important than a technical one.

StressedDev•9mo ago

You are right that this is not an io_uring issue.

  I think you under estimate the value of anti-virus.  Anti virus software is a good second line of defense.  It’s not perfect but it will stop a lot of known malware.  This has value.

arghwhat•9mo ago

I wouldn't consider it a second line of defense - as a rule of thumb, it will only catch old and overused attack vectors, and rarely well.

Anything novel will fly right past it, and it will have false positives. Plastering ineffective or mildly effective security everywhere in the name of "defense in depth" can have negative value as it reduces diligence in applying more relevant security measures that aren't just a random package install.

nicce•9mo ago

It like the last line of defence. If you are lucky, it helps.

dallbee•9mo ago

I cannot upvote this hard enough.

I see this all the time with VPNs. By having everything behind the company VPN, application security isn't taken as seriously. As a result, lateral access becomes trivial at these companies.

Keeping everything public internet exposed from the start actually results in better security.

the8472•9mo ago

Security software can have negative value when it increases attack surface[0], shuts down infrastructure[1], impedes productivity or pushes users towards workarounds that make things overall less secure.

[0] page 11 https://services.google.com/fh/files/misc/m-trends-2025-en.p... [1] https://news.ycombinator.com/item?id=41002195

fmajid•9mo ago

Read Travis Ormandy’s take-downs of Sophos or Symantec antivirus software. They are so sloppily written they vastly increase your exposure, including zero-click exploitation by simply receiving a crafted message.

croes•9mo ago

Anti virus is also a good second attack vector so sometimes anti virus is the reason for malware in the system in the first place.

jmclnx•9mo ago

Seems to go back to the old pick 2 of these for your system:

* fast

* secure

* easy

wmf•9mo ago

These security tools need to block any system call they don't recognize (fail closed). Obviously this breaks some apps but the alternative is huge security holes.

hellow0rld123•9mo ago

Maybe not blocking, but the problem is that they rely on system calls for visability for system events and that's the problem because we have mechanisms like io_uring which can allow attackers to so certain actions without making any system calls.

wmf•9mo ago

io_uring is a system call. Security tools could analyze it but they don't because they haven't been updated.

PeterWhittaker•9mo ago

This isn't a "bypass" (and it certainly isn't "terrifying", as reported on /. and elsewhere).

1. The program can only do what it is permitted to do: io_uring just reduces the number of system calls required - but since it works on file descriptors, you must have already acquired the fd in the correct mode.

2. Some monitoring systems hook into system calls and report when they are used: io_uring and opcodes mean the program can perform actions without being noticed by these programs...

3. ...which can report on the use of the system calls that set up io_uring access...

4. ...and could report on the resuting I/O by other means.

I won’t go so far as to say this is a nothing burger, but it feels close.

yencabulator•9mo ago

> io_uring just reduces the number of system calls required - but since it works on file descriptors, you must have already acquired the fd in the correct mode.

With the caveat that you can open files through io_uring requests, too: https://www.man7.org/linux/man-pages/man3/io_uring_prep_open...

And they might not have traditional FDs: https://lwn.net/Articles/863071/

But yes, it's bad security architecture (fail-open), not updated fast enough.

The real answer is probably something more like Landlock, where it's the kernel's job to understand syscall semantics.

PeterWhittaker•9mo ago

True, but even those calls require appropriate permissions, and will fail if the program lacks said perms. (Just to emphasize the point that the original article doesn't provide a means of privilege escalation, nor exploit a vulnerability.)

Interop 2025: A Year of Convergence

JobArena – Human Intuition vs. Artificial Intelligence

Concept Artists Say Generative AI References Only Make Their Jobs Harder

Show HN: PaySentry – Open-source control plane for AI agent payments

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

The Crumbling Workflow Moat: Aggregation Theory's Final Chapter

Pax Historia – User and AI powered gaming platform

Show HN: I built a RAG engine to search Singaporean laws

Scams, Fraud, and Fake Apps: How to Protect Your Money in a Mobile-First Economy

Porting Doom to My WebAssembly VM

Cognitive Style and Visual Attention in Multimodal Museum Exhibitions

Full-Blown Cross-Assembler in a Bash Script

Logic Puzzles: Why the Liar Is the Helpful One

Optical Combs Help Radio Telescopes Work Together

Show HN: Myanon – fast, deterministic MySQL dump anonymizer

The Tao of Programming

Forcing Rust: How Big Tech Lobbied the Government into a Language Mandate

PanelBench: We evaluated Cursor's Visual Editor on 89 test cases. 43 fail

Can You Draw Every Flag in PowerPoint? (Part 2) [video]

Show HN: MCP-baepsae – MCP server for iOS Simulator automation

Make Trust Irrelevant: A Gamer's Take on Agentic AI Safety

Show HN: Sem – Semantic diffs and patches for Git

Hello world does not compile

Show HN: ZigZag – A Bubble Tea-Inspired TUI Framework for Zig

Metaphor+Metonymy: "To love that well which thou must leave ere long"(Sonnet73)

Show HN: Django N+1 Queries Checker

Emacs-tramp-RPC: High-performance TRAMP back end using JSON-RPC instead of shell

Protocol Validation with Affine MPST in Rust

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Show HN: Zest – A hands-on simulator for Staff+ system design scenarios