Researchers from ARMO demonstrated the possibility of creating specific systemic calls to perform standard operations, such as reading/recording files and receiving commands from an external server. Instead of system calls, to perform network and file operations, it is proposed to use an asynchronous input/output interface io_uring, supported from the Linux 5.1.
The essence of the method is that instead of separate system calls for access to files and the implementation of network operations (Read/Write, Recv/Send/Connect/Bind/Listen), general systemic challenges IO_Ring (IO_ARING_NENTER, IO_RURING_SETUP, IO_URING_REGISTER, etc.), which are not analyzed by typical tools to identify malicious activity. Interface Io_uring supports about 60 different operations. In development is the opportunity that allows you to run new processes through IO_URING.
To demonstrate the work of the method, a prototype of rutkita is prepared curing, performing such actions, as a command of the external server and transfer/change of files. The demonstration used sending a request to TCP port 8888 of an external host and sending the contents of the file “/etc/Shadow”. It is understood that after a successful compromise of the system and obtaining Root rights, the attacker sets Rutkit to consolidate his presence on a hacked system (container).
In the experiment, the activity of Rutkin Curing was not seen by the monitoring tools