What's KASLR?

KASLR is ASLR (address space layout randomization) for kernel. In theory, KASLR patch randomize the base kernel address to some location while loading the kernel. Therefore, attacker cannot jump to some useful function or location. Really? Okay, just not that perfect, things are a little different in real life...

So what's wrong with KASLR?

The biggest group of threats against user space ASLR are information leaks and that's very true for KASLR. The Linux kernel (and other bsd, osx kernels too) has lots of info leak bugs and only one of them is enough for defeating the randomization. Dangling pointers, uninitialized data structers, half written memory locations are all leaking precious information about these randomized / "unknown" addresses.

Another weakness is low entropy, kernel cannot move that much. Some numbers for your imagination; 512 different locations are currently possible for 64-bit and half of it for the 32-bit x86. Same in iOS implementation with 8-bit entropy. There are some hardware limitations.

Is KASLR useless?

Most of the time it's useless. Only in some minor cases like "remote kernel exploits", they can be useful but they are very very rare.