Long ago, inspired by DiamondTek LAN, I designed a scheme similar where I'd have a secure coprocessor on memory or PCI bus doing the same thing. Other than control flow, it would also be able go reset a host, do trusted boot, network offload (esp firewall and authentication), and rate limiting. Boeing implemented a very similar scheme in PCI cards as part of their OASIS proposal for high-assurance pub-sub. So, it's doable.

Interesting to see CFI crowd working on it.