Intel® C++ Compiler Classic Developer Guide and Reference

ID 767249
Date 7/13/2023
Public
Document Table of Contents

fcf-protection, Qcf-protection

Enables Intel® Control-Flow Enforcement Technology (Intel® CET) protection, which defends your program from certain attacks that exploit vulnerabilities. This option offers preliminary support for Intel® CET.

Syntax

Linux:

-fcf-protection[=keyword]

macOS:

None

Windows:

/Qcf-protection[:keyword]

Arguments

keyword

Specifies the level of protection the compiler should perform. Possible values are:

shadow_stack

Enables shadow stack protection.

branch_tracking

Enables endbranch (EB) generation.

full

Enables both shadow stack protection and EB generation.

This is the same as specifying this compiler option with no keyword.

none

Disables Intel® CET protection.

Default

-fcf-protection=none or /Qcf-protection:none

No Control-flow Enforcement protection is performed.

Description

This option enables Intel® CET protection, which defends your program from certain attacks that exploit vulnerabilities.

Intel® CET protections are enforced on processors that support Intel® CET. They are ignored on processors that do not support Intel® CET, so they are safe to use in programs that might run on a variety of processors.

Specifying shadow_stack helps to protect your program from return-oriented programming (ROP). Return-oriented programming (ROP) is a technique to exploit computer security defenses such as non-executable memory and code signing by gaining control of the call stack to modify program control flow and then execute certain machine instruction sequences.

Specifying branch_tracking helps to protect your program from call/jump-oriented programming (COP/JOP). Jump-oriented programming (JOP) is a variant of ROP that uses indirect jumps and calls to emulate return instructions. Call-oriented programming (COP) is a variant of ROP that employs indirect calls.

To get both protections, specify this compiler option with no keyword, or specify -fcf-protection=full (Linux*) or /Qcf-protection:full (Windows*).

IDE Equivalent

None

Alternate Options

Linux and macOS: -qcf-protection

Windows: None