Visible to Intel only — GUID: GUID-59552675-7A3E-4FF1-9BF2-8ED0AC2071B3
Visible to Intel only — GUID: GUID-59552675-7A3E-4FF1-9BF2-8ED0AC2071B3
fcf-protection, Qcf-protection
Enables Intel® Control-Flow Enforcement Technology (Intel® CET) protection, which defends your program from certain attacks that exploit vulnerabilities. This option offers preliminary support for Intel® CET.
Linux: |
-fcf-protection[=keyword] |
macOS: |
None |
Windows: |
/Qcf-protection[:keyword] |
keyword |
Specifies the level of protection the compiler should perform. Possible values are:
|
-fcf-protection=none or /Qcf-protection:none |
No Control-flow Enforcement protection is performed. |
This option enables Intel® CET protection, which defends your program from certain attacks that exploit vulnerabilities.
Intel® CET protections are enforced on processors that support Intel® CET. They are ignored on processors that do not support Intel® CET, so they are safe to use in programs that might run on a variety of processors.
Specifying shadow_stack helps to protect your program from return-oriented programming (ROP). Return-oriented programming (ROP) is a technique to exploit computer security defenses such as non-executable memory and code signing by gaining control of the call stack to modify program control flow and then execute certain machine instruction sequences.
Specifying branch_tracking helps to protect your program from call/jump-oriented programming (COP/JOP). Jump-oriented programming (JOP) is a variant of ROP that uses indirect jumps and calls to emulate return instructions. Call-oriented programming (COP) is a variant of ROP that employs indirect calls.
To get both protections, specify this compiler option with no keyword, or specify -fcf-protection=full (Linux*) or /Qcf-protection:full (Windows*).
Linux and macOS: -qcf-protection
Windows: None