For those that say ASLR is useless due to cache/timing attacks:
Show me a reliable, working remote exploit for OpenVPN compiled as a PIE that works due to cache/timing attacks rendering ASLR useless.
So to say ASLR is useless because of some attack vector ASLR wasn't even meant to protect against is to throw everything else under the bus.
Remember: browsers introduce remote code execution as a feature. This is not what ASLR was meant to protect against.