Detecting and Mitigating io_uring Abuse for Malware Evasion

In an article published on April 25, 2025, the security company ARMO revealed a method to exploit the io_uring system in Linux to bypass certain security tools, posing a potential threat to systems using tools like Crowdstrike, Microsoft Defender, Falco, and Tetragon. This technique involves using the "curing" tool to exploit the flaw, which allows specific actions to go unnoticed by system call-based security tools, although it requires prior access to the targeted system. In response, Sysdig and Falco have developed detection mechanisms to identify suspicious io_uring activity, with Sysdig releasing a new rule for its users and Falco planning to enhance its detection capabilities later in the week. While io_uring allows asynchronous I/O without traditional system calls, it does not conceal files or processes, and most containerized workloads are unaffected due to default security profiles. A layered defense strategy is recommended to mitigate risks, and Sysdig and Falco are actively working to provide solutions to detect and prevent abuses of the io_uring system.