|
|
|
|
|
|
by Animats
3262 days ago
|
|
|
There have been machines with a separate return address stack in on-chip hardware. Forth CPUs were built that way, as was a National Semiconductor part used for running embedded BASIC. Running out of return point stack was a problem, since those 1980s machines were transistor-limited and came with small return stack sizes. |
|
|
Modern high-end CPUs have hardware return stacks too, but only as a hint to the branch predictor of where a ret instruction will jump to (return stack buffer).
Separately... there are exploit mitigations that create a separate stack just for return addresses, making them impossible to reach through stack buffer overflows. For a recent implementation, see Clang's SafeStack:
https://clang.llvm.org/docs/SafeStack.html
Or for a hardware-assisted version, there's Intel CET (not yet implemented on shipping CPUs, AFAIK):
https://software.intel.com/en-us/blogs/2016/06/09/intel-rele...
There are serious limitations to this approach, though: there's a lot of important data on the stack other than return addresses, and overwriting it is often enough for an attacker to redirect control flow eventually, just more indirectly.