My 66000 architecture prevents Return Oriented Programming by placing the protected parts of
call-return interface on a stack where the code cannot access "wildly".
a) the Safe Stack pointer to this memory is not visible (unless one has GuestOS privilege)
....it sits over in a control register near where the IP is maintained.
b) the pages are translated with entries where RWE = 000 (no application access)
....the PTE's RWE is checked to be 000 by MMU.
c) only ENTER and EXIT and RET instructions can access this data.
d) preserved registers are marked to read as zero until written--so you don't know
....even what value was preserved on that other stack.
e) knowing that this memory area is really and only operated as an un-shared stack, new lines can
....be allocated without coherence traffic, and discarded without writing back to memory. Improving
....memory efficiency.
The unprivileged attacker does not know where that stack is, and even if they did know, there have
no memory reference access to it.
Subroutine Prologue and Epilogue sequences have free access to this stack, but not any
LDs or STs.
Thus attacker can overrun a buffer, and blow the data stack, but cause no harm to the preserved
state (return address is an important part of this state). Thus, an attacked subroutine will still
return to its caller and with all the preserved registers.
Also note: the programming model is identical with or without Safe Stack in use. The same
re-entrant shared binary can be called from un-safe-stack mode as well as Safe-Stack mode.
I looked at this briefly. You have a long way to go, but you understand many of the major point.