Falco was blind to Curing, whereas Defender was unable to detect both Curing or a spread of different widespread malware. Tetragon, alternatively, was in a position to detect io_uring, however solely when utilizing Kprobes and LSM hooks, which Armo stated are usually not utilized by default.
According to Armo, the issue with all three is an over-reliance on Prolonged Berkeley Packet Filter (eBPF) primarily based brokers, which monitor system calls as a easy method to gaining visibility of threats. Regardless of the advantages of this, not everyone within the trade thinks this can be a good design.
“System calls aren’t all the time assured to be invoked; io_uring, which may bypass them totally, is a optimistic and nice instance. This highlights the trade-offs and design complexity concerned in constructing strong eBPF-based safety brokers,” wrote Armo’s Head of Safety Analysis, Amit Schendel.
