back to article Watch out for any Linux malware sneakily evading syscall-watching antivirus

A proof-of-concept program has been released to demonstrate a so-called monitoring "blind spot" in how some Linux antivirus and other endpoint protection tools use the kernel's io_uring interface. That interface allows applications to make IO requests without using traditional system calls. That's a problem for security tools …

  1. Pascal Monett Silver badge

    What a surprise

    A tool specifically made to avoid syscalls, which just happen to be what AV tools are actively watching, is hijacked by miscreants for their own nefarious purposes.

    I can't help but think that the guy who thought this up must be a serious expert on OSes in general, and on kernels in particular. You have to know the ins and outs of the inner workings of the entire OS stack and the particulars of how it all fits together to dream up a scheme like that and make it work for you.

    What a shame that a mind like that decided to employ his formidable intellect for crime, instead of working with Torvalds or Cupertino or even Redmond and making a better world for everyone.

    1. cyberdemon Silver badge
      Meh

      Re: What a surprise

      > A tool specifically made to avoid syscalls, which just happen to be what AV tools are actively watching, is hijacked by miscreants for their own nefarious purposes.

      There is no claim that this has been 'hijacked' by any 'miscreants', yet. It's just AFAICT the usual story of an AV/infosec outfit hyping a relative non-issue with a so-called PoC developed by themselves, for rep points

      Rather than release a PoC that does not really constitute a vulnerability (the only 'concept' that it proves is that AV is fundamentally rather futile), a kernel PR would have been more welcome. Any would-be miscreant can take the PoC and perhaps evade detection, but then that is hardly the modern miscreant's primary concern

      Once there is malware running on any system, AV or no AV you're 90% screwed anyway

      1. diodesign (Written by Reg staff) Silver badge

        Infosec bluster

        Yeah, normally we try not to let infosec companies hype up problems they conveniently have the solution to, and we sat on this article for a few days thinking about whether it was worth doing.

        But we figured it would be worth bringing io_uring to a wider attention, it appears to be a contentious feature, and this might be a nail in the coffin for it.

        We publish a lot of work; some of it is less Earth shattering and more just whatever we felt people would find mildly interesting.

        C.

        1. claimed

          Re: Infosec bluster

          And that’s why I love it here.

  2. This post has been deleted by its author

  3. Jou (Mxyzptlk) Silver badge

    Google search first two hits...

    sysctl -w kernel.io_uring_disabled=2

    Since kernel 6.6 it can be disabled easily, it can be tested easily. IMHO could have been within the article.

    1. diodesign (Written by Reg staff) Silver badge

      [triv]

      Well, heh, we did say it can be switched off, and if you can find the command in one Google search, one wonders if it's worth including here.

      We also don't like including commands we haven't tested and are not confident about. But seeing as it is pretty straight forward, and easy to run, we've now included it in the article.

      C.

  4. This post has been deleted by its author

    1. Grindslow_knoll

      Re: SELinux

      Little bit more digging, SL support for monitoring io_uring was added in 5.16 (2022) https://www.paul-moore.com/blog/d/2022/01/linux_v516.html

  5. Anonymous Coward
    Anonymous Coward

    Antivirus useless. News at 11.

    So.... ....this is about Antivirus software, not any specific issue with io_uring?

    That's pretty standard, if you're writing malware, you're going to check that anti-virus software doesn't detect it...

  6. thosrtanner
    Boffin

    "thing.disabled = 2" to disable it? That's pretty inspiring. Most booleans are set to 0 or 1. Why would anyone use 2? Or is 2 even more disabled than 1? And by how much>

    This looks like the True/False/File_Not_Found boolean type much beloved of DailyWTF readers.

    1. 42656e4d203239 Silver badge

      Easy to find out why 2=completely disabled.... its because 1 is already in use.

      Phoronix

      "Submitted by Google engineer Matteo Rizzo, the upstream Linux 6.6 kernel is set to add a new sysctl interface for disabling IO_uring system-wide. The io_uring_disabled sysctl knob is being added that if set to a value of one will block all processes from calling IO_uring's setup function except for those privileged users with the system administrator capability (CAP_SYS_ADMIN). Or if io_uring_disabled is set to a value of 2, it will block all processes regardless of privilege level."

      1. thosrtanner

        Either something is disabled or it isn't. that's a LEVEL. It's badly named. I see rather too many badly named things in the computing world

        1. Jou (Mxyzptlk) Silver badge

          Actually I see even FOUR levels!

          0 = open

          1 = only specified group

          2 = no one

          aaaand:

          "undefined", which IMHO should default to 2. But that is a kernel list discussion.

  7. Anonymous Coward
    Anonymous Coward

    Why does Linux need antivirus?

    Shouldn't SELinux and whatnot be all the protection we need?

  8. sitta_europea Silver badge

    https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring

  9. troels.arvin

    AV: More harm than good

    It's time the IT press starts questioning the use of AV in the first place. I claim it does nore harm then good, in general

  10. RAMChYLD Bronze badge

    Clam

    But does Clam monitor the io_uring?

    1. James Loughner

      Re: Clam

      Clam primarily protect against Window viruses that may get passed on to Windows

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like