io_uringblindspotrootkits-toulas2025

2025-04-24

Linux ‘io_uring’ security blindspot allows stealthy rootkit attacks

by Bill Toulas

April 24, 2025

https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blindspot-allows-stealthy-rootkit-attacks/

Notes
io_uring
rootkit
ARMO
security research
Curing rootkit https://github.com/armosec/curing
EDR evasion
Linux kernel
asynchronous I/O
system call
ring buffer
blind spot
ptrace
seccomp
io_ring disabled by default on Android and ChromeOS
Falco
detection
Tetragon
Kernel Runtime Security Instrumentation (KRSI)
eBPF

Links to this note

Recent Posts