Proof-of-concept bypass shows weakness in Linux security tools, claims Israeli vendor

Falco was blind to Curing, while Defender was unable to detect either Curing or a range of other common malware. Tetragon, on the other hand, was able to detect io_uring, but only when using Kprobes and LSM hooks, which Armo said are not used by default.

According to Armo, the problem with all three is an over-reliance on Extended Berkeley Packet Filter (eBPF) based agents, which monitor system calls as a simple approach to gaining visibility of threats. Despite the benefits of this, not everyone in the industry thinks this is a good design.

“System calls aren’t always guaranteed to be invoked; io_uring, which can bypass them entirely, is a positive and great example. This highlights the trade-offs and design complexity involved in building robust eBPF-based security agents,” wrote Armo’s Head of Security Research, Amit Schendel.