On Sat, Mar 25, 2017 at 11:22:24AM -0400, Thor Lancelot Simon wrote: > ASLR increases the work factor for that stuff considerably (though there > are obvious approaches if you can zap the early boot code to wire down > the "randomization" so it isn't, etc).
I strongly contend this point in the case of the kernel and under the assumption that the attacker can execute (unprivileged) code. The approach can be found, i.e. see 33C3. I also strongly question any magic fixes from vendors -- it is highly unlikely to work by the very nature of how caches and the TLB operate. So yes, it strongly seems to me that the consensus in the security research community is that kernel ASLR doesn't really work on modern CPUs. Joerg