KASLR support
With kernel address space layout randomization (KASLR), the kernel is loaded to a random location in memory.
Loading the kernel to a random location can protect against attacks that rely on knowledge of the kernel addresses.
The KASLR feature is enabled by default. You can use the nokaslr kernel parameter to disable it, see nokaslr - Disable kernel randomization.
With KASLR enabled, the kernel is loaded to a random address, but kernel messages can reveal kernel internal addresses. Prevent access to the kernel messages for unprivileged users by setting the dmesg_restrict sysctl to 1. This setting restricts dmesg access to users with CAP_SYSLOG privilege.
Kernel addresses can also be compromised through /proc and other interfaces. To prevent this, set the kptr_restrict sysctl to 1.
For more information about the dmesg_restrict and kptr_restrict sysctls, see the Documentation/sysctl/kernel.txt in the kernel source tree.