Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Impact of File-Open Hook Points on Backup Ratio in ROFBS on XFS

Kosuke Higuchi, Ryotaro Kobayashi

Abstract

Ransomware continues encrypting files during the delay between attack onset and detection. ROFBS mitigates this problem by backing up pre-modification files in real time upon file-open events. However, because the Linux file-open path traverses multiple kernel functions, it remains unclear how the choice of hook point affects defense effectiveness. In this study, we kept the ROFBS mechanism fixed and changed only the hook points on the Linux file-open path. We compared may_open, inode_permission, do_dentry_open, security_file_open, and xfs_file_open on AlmaLinux with XFS using three ransomware families: AvosLocker, Conti, and IceFire. We used Backup Ratio as the main metric and also compared the number of encrypted files with backups and the total number of encrypted files. The results showed that hook-point selection substantially affected both recoverability and damage scale. For AvosLocker, security_file_open achieved the highest Backup Ratio (82.5%). For Conti and IceFire, xfs_file_open achieved the highest values (100.0% and 63.2%, respectively). Moreover, xfs_file_open minimized the total number of encrypted files for all three ransomware families. These results indicate that, in ROFBS, the layer at which file-open events are observed is a key design factor. In particular, on XFS, hooking the filesystem-specific callback xfs_file_open may be advantageous when the goal is to reduce overall damage.

Impact of File-Open Hook Points on Backup Ratio in ROFBS on XFS

Abstract

Ransomware continues encrypting files during the delay between attack onset and detection. ROFBS mitigates this problem by backing up pre-modification files in real time upon file-open events. However, because the Linux file-open path traverses multiple kernel functions, it remains unclear how the choice of hook point affects defense effectiveness. In this study, we kept the ROFBS mechanism fixed and changed only the hook points on the Linux file-open path. We compared may_open, inode_permission, do_dentry_open, security_file_open, and xfs_file_open on AlmaLinux with XFS using three ransomware families: AvosLocker, Conti, and IceFire. We used Backup Ratio as the main metric and also compared the number of encrypted files with backups and the total number of encrypted files. The results showed that hook-point selection substantially affected both recoverability and damage scale. For AvosLocker, security_file_open achieved the highest Backup Ratio (82.5%). For Conti and IceFire, xfs_file_open achieved the highest values (100.0% and 63.2%, respectively). Moreover, xfs_file_open minimized the total number of encrypted files for all three ransomware families. These results indicate that, in ROFBS, the layer at which file-open events are observed is a key design factor. In particular, on XFS, hooking the filesystem-specific callback xfs_file_open may be advantageous when the goal is to reduce overall damage.
Paper Structure (17 sections, 1 equation, 1 figure, 6 tables, 1 algorithm)

This paper contains 17 sections, 1 equation, 1 figure, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background
  4. Overview of ROFBS
  5. Extended Berkeley Packet Filter
  6. BPF Compiler Collection
  7. File-Open Path in Linux
  8. Experimental Setup
  9. Backup Ratio
  10. Results
  11. Discussion
  12. Effect of Hook Position
  13. Why xfs_file_open Was Advantageous in This Setting
  14. Differences Across Ransomware Families
  15. Implications for ROFBS Design
  16. ...and 2 more sections

Figures (1)

  • Figure 1: Simplified Linux open path relevant to this study. Gray boxes indicate the hook points evaluated in the experiments. Helper functions and special-case branches are omitted except for several annotated points.