Developer Guide and Reference

ID 767251
Date 10/31/2024
Public
Document Table of Contents

fcf-protection, Qcf-protection

Enables Intel® Control-Flow Enforcement Technology (Intel® CET) protection, which defends your program from certain attacks that exploit vulnerabilities. This option offers preliminary support for Intel® CET.

Syntax

Linux:

-fcf-protection[=keyword]

Windows:

/Qcf-protection[:keyword]

Arguments

keyword

Specifies the level of protection the compiler should perform. Possible values are:

return

Enables shadow stack protection. This keyword is only available on Linux.

branch

Enables endbranch (EB) generation. This keyword is only available on Linux.

shadow_stack

Enables shadow stack protection. This keyword is only available on Windows.

branch_tracking

Enables endbranch (EB) generation. This keyword is only available on Windows.

full

Enables shadow stack protection and endbranch (EB) generation.

This is the same as specifying this compiler option with no keyword.

none

Disables Intel® CET protection.

Default

-fcf-protection=none or /Qcf-protection:none

No Control-flow Enforcement protection is performed.

Description

This option enables Intel® CET protection, which defends your program from certain attacks that exploit vulnerabilities.

Intel® CET protections are enforced on processors that support Intel® CET. They are ignored on processors that do not support Intel® CET, so they are safe to use in programs that might run on a variety of processors.

Shadow stack protection helps to protect your program from return-oriented programming (ROP). Return-oriented programming (ROP) is a technique to exploit computer security defenses such as non-executable memory and code signing by gaining control of the call stack to modify program control flow and then execute certain machine instruction sequences.

Endbranch (EB) generation helps to protect your program from call/jump-oriented programming (COP/JOP). Jump-oriented programming (JOP) is a variant of ROP that uses indirect jumps and calls to emulate return instructions. Call-oriented programming (COP) is a variant of ROP that employs indirect calls.

NOTE:

This option only applies to host compilation. When offloading is enabled, it does not impact device-specific compilation.

IDE Equivalent

None

Alternate Options

Linux: -qcf-protection

Windows: None