Detecting and Mitigating io_uring Abuse for Malware Evasion

By Michael Clark - APRIL 25, 2025
Topics: Sysdig Features, Threat Research

SHARE:

Facebook logo LinkedIn logo X (formerly Twitter) logo
io_uring

What happened?

  • On April 24th, 2025, the security company ARMO released an article describing how to use the io_uring system in Linux to bypass many Linux security tools. 
  • ARMO shared a proof-of-concept tool called “curing” to exploit the flaw, which allows some behaviors to go undetected by security tools.
  • ARMO claimed this technique affects many current security tools, such as Crowdstrike, Microsoft Defender, Falco, and Tetragon. 

How Sysdig and Falco users are protected

  1. The Falco detection engine is flexible and allows writing a rule to detect io_uring activity using the io_uring_setup system call.
  2. A new Sysdig Secure rule, Suspicious io_uring Activity Detected, was released to Sysdig users that detects suspicious use of io_uring. 
  3. Falco is releasing new functionality that detects operations initiated by io_uring.

Articles online have claimed this mechanism allows a user application to perform various actions without using system calls, making system call-based tools blind, but the usage of io_uring as a detection bypass requires an attacker to first gain access to a system. The curing tool does not provide root access or hide resources. 

Once access is obtained through an exploit or misconfiguration, the malware or exploited process must then call the io_uring system calls before any potentially nefarious activity will go undetected. This provides an ideal opportunity to detect the defense evasion before it occurs. Initial Access and then Execution of their malicious code, in MITRE ATT&CK terms, are prerequisites to be able to use io_ring for evasion. 

What is io_uring, and how does it work?

io_uring is a Linux API that allows for asynchronous I/O without going through traditional system calls. It should be noted that the io_uring calls are actually also system calls. io_uring applies to many system calls that involve input and output, such as file and network operations. By using io_uring, those system calls can be bypassed, which can cause security tools to miss these actions.

What io_uring cannot do

io_uring does not apply to activities such as process execution. Any threat detections based on process execution and analysis of the data associated with processes (like their open file descriptors) will be unaffected by this defense evasion technique. Since this is just an evasion technique, no files or processes are hidden using io_uring. System utilities will still operate normally. FANOTIFY, which is a callback system for file operations often used for File Integrity Monitoring, is also unaffected by the use of io_uring. 

Most containerized workloads are not affected by this evasion technique, as the default seccomp profile disables the usage of io_uring altogether (e.g., Docker). Consider adding the io_uring system call to your seccomp profile (if it’s not already blocked by the default one) with caution, this would be the best approach to be sure the evasion technique won’t work. Before adding to the profile, ensure that the system call isn’t used by legitimate processes. 

How to detect io_uring evasion

The use of io_uring calls is not very common, so we have released a new rule, Suspicious io_uring Activity Detected, to the Sysdig Runtime Notable Events managed policy. This rule detects abnormal programs making io_uring calls.

io_uring

Sysdig customers are protected against an io_uring evasion

Our layered approach to threat detection means we cover different stages of an attack:

  • Sysdig Secure’s Malware Detection policy is unaffected by this security bypass and curing as it uses FANOTIFY to detect file operations. Our malware hashes and Yara rules will operate normally. 
  • If your containers have io_uring enabled, Sysdig’s Container Drift policy will still detect new executables since it also uses FANOTIFY. 
  • If this evasion technique is used in your environment, some of the existing rules that rely on system calls for file or network operations will be affected. 

Support for the Falco community

Falco will be releasing improvements during the week of April 28th, 2025 that will add native functionality to observe file and network operations that occur through io_uring. This feature will use Kernel Runtime Security Instrumentation to provide visibility for this evasion technique.

Expect an announcement from the Falco team very soon. We will update this space when it is published. 

Conclusion

Abusing io_uring can allow malware to bypass some of the detection that Linux security vendors use. A layered defense strategy, such as not relying on a single means of detection, helps mitigate this risk. Sysdig Secure now has a rule that will detect this defense evasion, and Falco will soon be able to see through io_uring and detect any threats using the technique published by ARMO.

Subscribe and get the latest updates