Add compiler-specific hardening flags

CMakeLists.txt

@@ -111,6 +111,82 @@ if(CMAKE_CXX_COMPILER_ID STREQUAL "MSVC")
   endforeach()
 endif()
 
+# Add compiler-specific hardening flags.
+if(CMAKE_CXX_COMPILER_ID MATCHES "^(Clang|GNU)$")
+  add_compile_options(
+    # Warn about potentially unsafe code.
+    -Wall
+    # Warn about implicit conversions that potentially alter a value.
+    -Wconversion
+    # Check argument types of format string function calls, e.g., printf.
+    -Wformat
+    # Check for potential security issues in format string function calls.
+    -Wformat-security
+    # Revert strict aliasing enabled at optimization levels -O2, -O3, -Os.
+    -fno-strict-aliasing
+    # Check for buffer overflows such as stack smashing attacks.
+    -fstack-protector
+    # Enable fortified wrappers of GNU C library functions.
+    -D_FORTIFY_SOURCE=2
+    # Optimize debugging experience, required for _FORTIFY_SOURCE.
+    # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#index-Og
+    $<$<CONFIG:Debug>:-Og>
+    )
+
+  # We need to support CMake 3.10, add_link_options() was added in CMake 3.13.
+  # link_libraries() passes flags through as long as they do not contain spaces.
+  # https://cmake.org/cmake/help/v3.13/command/add_link_options.html
+  link_libraries(
+    # Check objects for unresolved symbol references.
+    -Wl,--no-undefined
+    # Mark library as not requiring executable stack.
+    -Wl,-z,noexecstack
+    # Resolve all symbols when program is started, instead of on first use.
+    -Wl,-z,now
+    # Mark Global Offset Table read-only after resolving symbols.
+    -Wl,-z,relro
+    )
+elseif(CMAKE_CXX_COMPILER_ID STREQUAL "MSVC")
+  add_compile_options(
+    # Enable compiler warnings.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/compiler-option-warning-level
+    /Wall
+    # Enable buffer security check.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check
+    /GS
+    # Enable additional security shecks.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/sdl-enable-additional-security-checks
+    /sdl
+    # Disable warnings about the use of safe C library functions, which
+    # suggest the use of proprietary, non-portable alternatives.
+    # https://gitlab.gnome.org/GNOME/glib/-/issues/2357
+    # https://github.com/GNOME/glib/blob/49ec7f18e3fd1070a8d546ae6cc4acbea8055dbc/msvc_recommended_pragmas.h#L39-L41
+    -D_CRT_SECURE_NO_WARNINGS
+    -D_CRT_NONSTDC_NO_WARNINGS
+    )
+
+  # We need to support CMake 3.10, add_link_options() was added in CMake 3.13.
+  # link_libraries() passes flags through as long as they do not contain spaces.
+  # https://cmake.org/cmake/help/v3.13/command/add_link_options.html
+  link_libraries(
+    # Enable address space layout randomization.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization
+    -DYNAMICBASE
+    # Always generate relocation section.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/fixed-fixed-base-address
+    -FIXED:NO
+    # Disable unneeded incremental linking for better performance and smaller size.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/incremental-link-incrementally
+    -INCREMENTAL:NO
+    # Enable compatibility with data execution prevention.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/nxcompat-compatible-with-data-execution-prevention
+    -NXCOMPAT
+    # Keep unreferenced symbols.
+    # https://docs.microsoft.com/en-us/cpp/build/reference/opt-optimizations
+    -OPT:NOREF
+    )
+endif()
+
 # https://clang.llvm.org/docs/AddressSanitizer.html
 option(ACL_WITH_ASAN "Build with address sanitizer" OFF)
 message(STATUS "Build with address sanitizer: ${ACL_WITH_ASAN}")