io-uring-is-back-this-time-as-a-rootkit-59q1k

io_uring Is Back, This Time as a Rootkit

Age

19 days ago

Information

Source

https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security

MITRE ATT&CK Technique IDs

T1106, T1068, T1211, T1564, T1548, T1014

Request Demo

Summary

A new method for creating Linux rootkits has been discovered that exploits the `io_uring` asynchronous I/O framework, enabling attackers to execute arbitrary code within the kernel context without using traditional methods like modifying system call tables. This technique manipulates the `io_uring` submission and completion queues by crafting malicious submission queue entries that, when processed by the kernel's worker threads, execute attacker-controlled code. Key aspects include kernel code execution, security bypass, and stealth, as it operates within the legitimate `io_uring` framework, potentially evading detection by security tools. The rootkit can perform malicious actions such as hiding processes, files, or network connections, escalating privileges, or installing backdoors. This highlights a new attack surface within the Linux kernel, leveraging a modern, high-performance I/O subsystem for malicious purposes, although `io_uring` itself is not inherently vulnerable. The complexity of the kernel's processing of submission queue entries can be exploited if an attacker gains control over the queue.

How Blue Rock Helps

This security issue gives an attacker the ability to exploit the Linux io_uring subsystem by crafting malicious submission queue entries, allowing them to evade traditional defenses. The following protection guardrails can further prevent the following steps an attacker can take: If the initial compromise or subsequent rootkit deployment occurs within a container, Container Drift Protection (Binaries & Scripts) helps prevent the execution of unauthorized tools or dropped components not present in the original image. Finally, if the installed components attempts to establish command and control by creating a reverse shell, Reverse Shell Protection detects and blocks the binding of shell input/output to a network socket. Therefore, BlueRock is not blind to io_uring-based attacks, when compared to other syscall-only based security solutions.

‍

MITRE ATT&CK Techniques Inferred

T1106: Native API: The article describes a technique where attackers exploit the io_uring asynchronous I/O framework to execute arbitrary code within the kernel context. This is a clear example of exploiting an Application Programming Interface (API) to perform actions that are not intended by the legitimate functionality of the API, specifically to execute malicious code in the kernel. This aligns with the MITRE ATT&CK Technique T1106: Execution through API.
T1068: Exploitation for Privilege Escalation: The rootkit technique allows attackers to execute code within the kernel's address space by manipulating the io_uring submission queue. This indicates that the attackers are using the legitimate processing of I/O requests to execute their code, effectively abusing the kernel's normal operations to bypass security mechanisms. This is an example of Exploitation for Privilege Escalation, where attackers exploit vulnerabilities to gain higher privileges, in this case, kernel-level execution. This aligns with the MITRE ATT&CK Technique T1068: Exploitation for Privilege Escalation.
T1211: Exploitation for Defense Evasion: The article mentions that the rootkit circumvents common kernel security defenses such as Kernel Page Table Isolation (KPTI) or Supervisor Mode Execution Prevention (SMEP). This implies a Security Feature Bypass, where the attacker specifically targets and bypasses security mechanisms designed to prevent unauthorized code execution in the kernel. This is consistent with the MITRE ATT&CK Technique T1211: Exploitation for Defense Evasion.
T1564: Hide Artifacts: By operating within io_uring, the rootkit can potentially hide its activities from security tools that monitor traditional system call hooks or kernel module presence. This stealth capability is indicative of the rootkit's use of techniques to avoid detection, aligning with the MITRE ATT&CK Technique T1564: Hide Artifacts, which involves concealing malicious activity from security monitoring.

See Blue Rock In Action