TheXero,

I think the article gives a good overview of ASLR on Windows. 

In the introduction, you describe a basic overflow as overwriting EIP with a return address to a JMP instruction.  I'm not sure what the current state of the art is, but the old technique was to overwrite EIP with an address that pointed inside of a NOP sled that leads to the shellcode.  You could also create a sled out of a series of relative JMP instructions.  Unless something has changed, you would not (in ordinary circumstances) return to an absolute JMP.

Your paper has no references but you've obviously pulled information from several sources.  Ideally, you would cite these throughout the paper, but you should at least have a bibliography at the end.  Not only does this provide credit where appropriate, but it tells readers where they can go to get more information.  There are several published papers on ASLR that readers could use to learn more about various aspects.

You mention Linux in passing, but there are some differences on Linux (and OpenBSD) as opposed to Windows.  In particular, I think OpenBSD and some Linux distributions have full ASLR which would prevent your method #2 from working.  I can't say that with full confidence since I haven't studied their implementations recently, but it would be worth looking in to.

I thank you for writing and distributing this paper.  Too few people take the time to share their knowledge and discoveries with the community.

I agree, but nice job TheXero