Hackers can now bypass Linux security thanks to terrifying new Curing rootkit
Most Linux users assume their security tools will catch bad actors before damage is done -- but sadly, new research suggests that confidence may be misplaced. You see, ARMO, the company behind Kubescape, has uncovered what could be one of the biggest blind spots in Linux security today. The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market.
At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors. The problem? Attackers can completely sidestep these monitored calls by leaning on io_uring instead. This clever method could let bad actors quietly make network connections or tamper with files without triggering the usual alarms.
eBPF: Enabling security and performance to co-exist
Today, most organizations and individuals use Linux and the Linux kernel with a “one-size-fits-all” approach. This differs from how Linux was used in the past–for example, 20 years ago, many users would compile their kernel and modify it to fit their specific needs, architectures and use cases. This is no longer the case, as one-size-fits-all has become good enough. But, like anything in life, “good enough” is not the best you can get.
Enter: Extended Berkeley Packet Filter (eBPF). eBPF allows users to modify one-size-fits-all to fit their specific needs. While this was not impossible before, it was cumbersome and often unsecure.
Microsoft launches new open-source project to bring Linux tool eBPF to Windows
Microsoft has launched a new project which has the aim of bringing Linux kernel tool eBPF (Extended Berkeley Packet Filter) to Windows.
The company insists that the move to get the technology working in Windows does not represent creating a fork of eBPF. Instead, it will use existing projects, including the IOVisor uBPF project and the PREVAIL verifier, to run eBPF programs and APIs on top of its own operating systems -- specifically Windows 10 and Windows Server 2016 or above.