This writeup describes what their solution is, but does not give any explanation for why it works. How did they know that that particular address would not be affected by ASLR and PIE? This is arguably the most important part of the solution that they have omitted, sadly. Does this relate to Arch Linux in any way?