Watch out for any Linux malware sneakily evading syscall-watching antivirus

A proof-of-concept program has been released to demonstrate a so-called monitoring "blind spot" in how some Linux antivirus and other endpoint protection tools use the kernel's io_uring interface.

That interface allows applications to make IO requests without using traditional system calls. That's a problem for security tools that rely on syscall monitoring to detect threats.

Rather than making a system call for each request, these operations – such as reading and writing files – are queued in ring buffers that the kernel rattles through and returns the results in separate buffers. Antivirus that watches syscalls for malicious activity may miss changes that are instead going through the io_uring queues.

To demonstrate this, security shop ARMO built a proof-of-concept named Curing that lives entirely through io_uring. Because it avoids system calls, the program apparently went undetected by tools including Falco, Tetragon, and Microsoft Defender in their default configurations. ARMO claimed this ...