fcf-protection, Qcf-protection

Intel® C++ Compiler Classic Developer Guide and Reference

Download PDF

ID 767249

Date 12/16/2022

Version

Public

A newer version of this document is available. Customers should click here to go to the newest version.

Visible to Intel only — GUID: GUID-59552675-7A3E-4FF1-9BF2-8ED0AC2071B3

View Details

fcf-protection, Qcf-protection

Enables Intel® Control-Flow Enforcement Technology (Intel® CET) protection, which defends your program from certain attacks that exploit vulnerabilities. This option offers preliminary support for Intel® CET.

Syntax

Linux:

-fcf-protection[=keyword]

macOS:

None

Windows:

/Qcf-protection[:keyword]

Arguments

keyword

Specifies the level of protection the compiler should perform. Possible values are:

shadow_stack	Enables shadow stack protection.
branch_tracking	Enables endbranch (EB) generation.
full	Enables both shadow stack protection and EB generation. This is the same as specifying this compiler option with no `keyword`.
none	Disables Intel® CET protection.

Default

-fcf-protection=none or /Qcf-protection:none

No Control-flow Enforcement protection is performed.

Description

This option enables Intel® CET protection, which defends your program from certain attacks that exploit vulnerabilities.

Intel® CET protections are enforced on processors that support Intel® CET. They are ignored on processors that do not support Intel® CET, so they are safe to use in programs that might run on a variety of processors.

Specifying shadow_stack helps to protect your program from return-oriented programming (ROP). Return-oriented programming (ROP) is a technique to exploit computer security defenses such as non-executable memory and code signing by gaining control of the call stack to modify program control flow and then execute certain machine instruction sequences.

Specifying branch_tracking helps to protect your program from call/jump-oriented programming (COP/JOP). Jump-oriented programming (JOP) is a variant of ROP that uses indirect jumps and calls to emulate return instructions. Call-oriented programming (COP) is a variant of ROP that employs indirect calls.

To get both protections, specify this compiler option with no keyword, or specify -fcf-protection=full (Linux*) or /Qcf-protection:full (Windows*).

IDE Equivalent

None

Alternate Options

Linux and macOS: -qcf-protection

Windows: None

Parent topic: Code Generation Options

Select Your Language

Using Intel.com Search

Quick Links

Recent Searches

Advanced Search

Only search in

Intel® C++ Compiler Classic Developer Guide and Reference

fcf-protection, Qcf-protection