Falco was blind to Curing, whereas Defender was unable to detect both Curing or a variety of different frequent malware. Tetragon, alternatively, was in a position to detect io_uring, however solely when utilizing Kprobes and LSM hooks, which Armo stated usually are not utilized by default.
In line with Armo, the issue with all three is an over-reliance on Prolonged Berkeley Packet Filter (eBPF) based mostly brokers, which monitor system calls as a easy method to gaining visibility of threats. Regardless of the advantages of this, not everybody within the trade thinks this can be a good design.
“System calls aren’t all the time assured to be invoked; io_uring, which might bypass them fully, is a constructive and nice instance. This highlights the trade-offs and design complexity concerned in constructing strong eBPF-based security brokers,” wrote Armo’s Head of Safety Analysis, Amit Schendel.
