I think we should enable some hardening flags when compiling with MinGW.
-Wl,--dynamicbase (linker flag) to enable ASLR (address space layout randomization) which should have been the default (MSVC enables this). This depends on the relocation table, so we have to make sure it is there too and is not stripped. Also enable -Wl,--high-entropy-va. Not sure if we have to specify base addresses above 4GB for more security?Implemented
-Wl,--nxcompat (linker flag too) to enable DEP (data execution prevention) which should have been the default too (MSVC enables this too).Implemented
- Enable stack smashing protector (ssp): This can protect against buffer overflow by checking the return address at the end of a function. This implies a performance penalty, but does give a bit security. Use the flags -fstack-protector-all or -fstack-protector-strong for a balance between performance and security, we can set --param ssp-buffer-size=<something> to set the minimum buffer size to protect. (MSVC seems to have its version enabled by default)
Enabling these shouldn't really cause any problems, but still it should be tested.