Malware Detection Evasion using IO Uring


Nowadays, many frameworks allow running high-level code. Diverse frameworks treat individual requests differently. A popular approach is to serve each request in a separate process or thread ( or thread pools storing threads for better performance). On the one hand, blocking a request on a single thread, e.x. by calling accept(2), does not influence other threads. On the other hand, no other task in the thread can use the CPU during the blocking time. “io_uring” resolves the issue with the blocking time. Instead of computing individual and expensive I/O operations, io_uring accepts in the queue multiple I/O requests, notifies the kernel to proceed with these requests, and finally, the second completion queue is triggered when the kernel sends the response. However, since the technology is new, io_uring has security issues. For example, Google paid researchers around 1 million USD last year in their bug bounty mission for the findings connected to io_uring. This work will summarize the current use of io_uring, its vulnerabilities, and possible malware detection/analysis.

TU Wien