The Wrong Layer

A ransomware defense system intercepts file operations to create backups before encryption can destroy the originals. The logic is sound: detect the open, copy the file, let the operation proceed. If the operation is malicious, the backup exists. If it’s benign, no harm done.

Higuchi and Kobayashi (arXiv:2603.16364) test this on XFS and find that the same backup logic achieves either 0% or 100% coverage depending on which kernel hook point implements it. The Linux Security Module hook — the generic, abstraction-respecting interception point — misses operations that the filesystem-specific hook (xfs_file_open) catches. The defense is correct. The layer is wrong.

The problem is that ransomware interacts with files through the filesystem, not through the security abstraction. The LSM hook sees file operations as the security model represents them. The XFS hook sees file operations as XFS represents them. These are not the same set. The security abstraction elides operations that the filesystem considers distinct, and some of those elided operations are exactly the ones ransomware uses.

This is a general principle: a defense that operates at a different level of abstraction than the attack will miss attacks that exploit the gap between abstractions. The LSM hook is not wrong — it correctly implements the security model’s view of file access. But the security model’s view is not the filesystem’s view, and the filesystem’s view is what matters because that’s the reality the ransomware inhabits.

The fix is not to add more hooks at the security layer. It is to move the hook to the layer that shares the attacker’s ontology — the layer that sees files the way the attacker sees them. Defense must match the attacker’s abstraction, not the defender’s.