Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls, making it invisible to security tools which are only monitoring syscalls.
The project was found effective against many of the most popular security tools such as Linux EDRs solutions and container security tools.
The idea was born at the latest CCC conference #38c3, therefor the name Curing which is a mix of C and io_uring.
To read the full article, check the blog post.
You can find a full demo of bypassing Falco with curing here.
In the POC, you will also find the commands to build and run the curing client and server.
To prove that the rootkit is not using any syscalls, you can use the following command:
strace -f -o /tmp/strace.log ./build/client0 syscalls is of course not possible, but the idea is to prove that the rootkit is not using any syscalls that are related to the attack, only the io_uring syscalls are used.
The curing client is connecting to the curing server and is pulling commands from the server to execute. The server is sending commands to the client to read files, write files, create symbolic links, etc. The client is using io_uring to execute the commands and send the results back to the server.
Because the client is using io_uring, it is not using any syscalls that are related to the attack, making it invisible to security tools that are monitoring syscalls.
To know more about io_uring, you can check the official documentation.
- Read files
- Write files
- Create symbolic links
- C2 server communication
- Execute processes (blocked)
- Any other feature from here
If you just want to play around with io_uring and test the security tool near to your house, you can use the example here.
- Linux kernel 5.1 or later
This project is a POC and should not be used for malicious purposes. The project is created to show how io_uring can be used to bypass security tools which are relying on syscalls.
We are not responsible for any kind of abuse of this project.
