-Wall -Wextra Turn on all warnings to help ensure the underlying code is secure

1. -Wall -Wextra
2. Turn on all warnings to help ensure the underlying code is secure.
3. -Wconversion -Wsign-conversion
4. Warn on unsign/sign conversion
5. -Wformat­security
6. Warn about uses of format functions that represent possible security problems
7. -Werror
8. Turns all warnings into errors.
9. -arch x86_64
10. Compile for 64-bit to take max advantage of address space (important for ASLR; more virtual address space to chose from when randomising layout).
11. -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4
12. Your choice of "-fstack-protector" does not protect all functions (see comments). You need -fstack-protector-all to guarantee guards are applied to all functions, although this will likely incur a performance penalty. Consider -fstack-protector-strong as a middle ground.
13. The -Wstack-protector flag here gives warnings for any functions that aren't going to get protected.
14. -pie -fPIE
15. For ASLR
16. -ftrapv
17. Generates traps for signed overflow (currently bugged in gcc)
18. -­D_FORTIFY_SOURCE=2 ­O2
19. Buffer overflow checks. See also difference between =2 and =1
20. ­-Wl,-z,relro,-z,now
21. RELRO (read-only relocation). The options relro & now specified together are known as "Full RELRO". You can specify "Partial RELRO" by omitting the now flag. RELRO marks various ELF memory sections read­only (E.g. the GOT)
22. If compiling on Windows, please Visual Studio instead of GCC, as some protections for Windows (ex. SEHOP) are not part of GCC, but if you must use GCC:
23.  
24. -Wl,dynamicbase
25. Tell linker to use ASLR protection
26. -Wl,nxcompat
27. Tell linker to use DEP protection
28.  
29. -->
30.  
31. -D_FORTIFY_SOURCE=2
32. -fstack-protector --param ssp-buffer-size=4
33. -fPIE -pie
34. -Wl,-z,relro,-z,now (ld -z relro and ld -z now)