- Compile flags:
- /GS: Stack protection from buffer overrun.
- /SDL: Subset of W3&W4 security warnings as errors.
- Use warning 4.
- /WX: Treat Warnings As Errors.
- Linker flags:
- /DYNAMICBASE: Randomize module base address to ensure that our code is at different location each time it is loaded.
- /NXCOMPAT: Data Execution Prevention to ensure that data is difficult to execute.
- /SAFESEH: Secure Exception Handling. Project->Properties->Linker->Advanced->Image has Safe Exception Handlers.
- Using VS Code Analysis to find vulnerability.
- Including Banned.h in projects to find unsafe methods which are listed in Banned.h.
- Using BannedAPIextension to flag banned api use in editor. (only available for VS2010)
- Enable /SEHOP in registry setting:
-
- Click Start, click Run, type regedit, and then press ENTER.
- Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidationHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\subkey, follow these steps to create it:
- Right-click kernel, point to New, and then click DWORD Value.
- Type DisableExceptionChainValidation, and then press ENTER.
- Double-click DisableExceptionChainValidation.
- Change the value of the DisableExceptionChainValidation registry entry to 0 to enable it, and then click OK.
Note A value of 1 disables the registry entry. A value of 0 enables it.
-