Developer Guide and Reference

Contents

qcf-protection, Qcf-protection

Enables Control-flow Enforcement Technology (CET) protection, which defends your program from certain attacks that exploit vulnerabilities. This option offers preliminary support for CET.

Syntax

Linux:
-qcf-protection
[
=
keyword
]
macOS:
None
Windows:
/Qcf-protection
[
:
keyword
]
Arguments
keyword
Specifies the level of protection the compiler should perform. Possible values are:
shadow_stack
Enables shadow stack protection.
branch_tracking
Enables endbranch (EB) generation.
full
Enables both shadow stack protection and endbranch (EB) generation.
This is the same as specifying the
[q or Q]cf-protection
option with no
keyword
.
none
Disables Control-flow Enforcement Technology (CET) protection.
Default
-qcf-protection=none
or
/Qcf-protection:none
No Control-flow Enforcement protection is performed.
Description
This option enables Control-flow Enforcement Technology (CET) protection, which defends your program from certain attacks that exploit vulnerabilities.
CET protections are enforced on processors that support CET. They are ignored on processors that do not support CET, so they are safe to use in programs that might run on a variety of processors.
Specifying
shadow_stack
helps to protect your program from return-oriented programming (ROP). Return-oriented programming (ROP) is a technique to exploit computer security defenses such as non-executable memory and code signing by gaining control of the call stack to modify program control flow and then execute certain machine instruction sequences.
Specifying
branch_tracking
helps to protect your program from call/jump-oriented programming (COP/JOP). Jump-oriented programming (JOP) is a variant of ROP that uses indirect jumps and calls to emulate return instructions. Call-oriented programming (COP) is a variant of ROP that employs indirect calls.
To get both protections, specify
[q or Q]cf-protection
with no
keyword
, or specify
-qcf-protection=full
(Linux*) or
/Qcf-protection:full
(Windows*).
On Linux and
macOS*
systems, you can also specify gcc option
-fcf-protection
to enable CET features. For more information about that option, see the gcc documentation.
Alternate Options
Linux and
macOS*
:
-fcf-protection
(supported gcc option)
Windows: None

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804