DirtyFree: Simplified Data-Oriented Programming in the Linux Kernel
Yoochan Lee
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Systems Security
This talk presents **DirtyFree**, a simplified data-oriented programming (DOP) exploitation method for the Linux kernel that uses the **arbitrary free primitive** as its central building block instead of the traditional trifecta of information leak, arbitrary read, and arbitrary write. The key insight is that arbitrary free can transform almost any kernel object into a **use-after-free state**, and by targeting privilege-related structures like `struct cred`, an attacker can achieve privilege escalation through **privilege placement** -- freeing a low-privilege credential object and having a high-privilege one allocated in its place.
AI review
Outstanding kernel exploitation research that elevates the arbitrary free primitive from an afterthought to the central exploitation building block. DirtyFree successfully exploits 24 out of 31 real-world kernel vulnerabilities under modern mitigations that have killed previous techniques like Dirty Page Table. The struct cred privilege placement chain is elegant, the static analysis pipeline for finding arbitrary free objects is immediately useful, and the technique survives every defense thrown at it including slab isolation and type-specific allocators.