The author discusses the development of stack protection mechanisms in OpenBSD, specifically focusing on the stack protector and RETGUARD. The stack protector was initially implemented with a 16-byte heuristic to protect functions with sufficient local storage, and the check function was located in libc. Over time, improvements were made to the stack protector, but it was found to be slower due to wasted CPU resources. RETGUARD, on the other hand, used an illegal instruction as a speculation barrier, resulting in faster performance. The author proposes using the RETGUARD approach for stack protection in certain architectures, such as x86 and riscv64. They also note that enabling stack protection for all functions could achieve acceptable performance. The author acknowledges that more work needs to be done to achieve ROP-free status and improve the performance analysis.
https://marc.info/?l=openbsd-tech&m=169558749114476&w=2