Impact
What kind of vulnerability is it? Who is impacted?
Falco monitors system activity by parsing Linux syscalls at runtime, evaluating them against a rules engine, and alerting when a rule is violated.
io_uring is a Linux kernel interface that enables high-performance asynchronous I/O by allowing applications to submit and complete I/O operations without costly syscalls for each request. It works through a pair of shared memory ring buffers between user space and the kernel: one for submitting requests and one for retrieving completions.
Although Falco can detect the high level io_uring activity by monitoring syscalls such as io_uring_setup, io_uring_enter, and io_uring_register, it was discovered that operations executed asynchronously via the io_uring interface (such as open, connect, symlinkat, and others) do not generate a distinct syscall for each individual operation, as a result, are not detected by Falco.
Falco users running on Linux kernel >=5.1 without any protection in place to prevent io_uring usage are affected by this evasion technique.
However, note that using io_uring as a detection bypass requires an attacker to first gain access to a system, and Falco will still detect this kind of intrusion.
Mitigations
Has the issue been addressed? What actions should Falco users perform?
The krsi plugin for Falco is available, implementing an eBPF probe that collects events from syscalls, io_uring, and Kernel Runtime Security Instrumentation data. This allows Falco to inspect this new type of event.
Users running kernels that support io_uring interfaces should consider upgrading to Falco version 0.40 (or later) and enabling the krsi plugin in their installation.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users not intended to use the krsi plugin as explained above may alternatively either:
- Use other means to turn off the usage of
io_uring
- Author custom rules to detect potential suspicious activity generated by
io_uring_setup, io_uring_enter, and io_uring_register syscalls
References
Are there any links users can visit to find out more?
The io_uring approach is detailed in this blog post.
Built-in kernel events supported by Falco can be found in the official documentation.
The KRSI plugin can be found in the Falco official plugin repository.
amitschendel Reporter
matthyx Reporter
LucaGuerra Coordinator
ekoops Remediation developer
leogr Other
Impact
What kind of vulnerability is it? Who is impacted?
Falco monitors system activity by parsing Linux syscalls at runtime, evaluating them against a rules engine, and alerting when a rule is violated.
io_uringis a Linux kernel interface that enables high-performance asynchronous I/O by allowing applications to submit and complete I/O operations without costly syscalls for each request. It works through a pair of shared memory ring buffers between user space and the kernel: one for submitting requests and one for retrieving completions.Although Falco can detect the high level
io_uringactivity by monitoring syscalls such asio_uring_setup,io_uring_enter, andio_uring_register, it was discovered that operations executed asynchronously via theio_uringinterface (such asopen,connect,symlinkat, and others) do not generate a distinct syscall for each individual operation, as a result, are not detected by Falco.Falco users running on Linux kernel >=5.1 without any protection in place to prevent
io_uringusage are affected by this evasion technique.However, note that using
io_uringas a detection bypass requires an attacker to first gain access to a system, and Falco will still detect this kind of intrusion.Mitigations
Has the issue been addressed? What actions should Falco users perform?
The krsi plugin for Falco is available, implementing an eBPF probe that collects events from syscalls,
io_uring, and Kernel Runtime Security Instrumentation data. This allows Falco to inspect this new type of event.Users running kernels that support
io_uringinterfaces should consider upgrading to Falco version 0.40 (or later) and enabling the krsi plugin in their installation.Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users not intended to use the krsi plugin as explained above may alternatively either:
io_uringio_uring_setup,io_uring_enter, andio_uring_registersyscallsReferences
Are there any links users can visit to find out more?
The
io_uringapproach is detailed in this blog post.Built-in kernel events supported by Falco can be found in the official documentation.
The KRSI plugin can be found in the Falco official plugin repository.