Add ASLR and DEP flags to linker where not on by default

[schlenk]

Python 2.x distutils do not set the linker flags for ASLR and DEP by default (on 32-Bit...), those are only set in Python 3.3+. And those flags are not on by default at least on VS 2008.

So to get ASLR add /DYNAMICBASE (or the 64-bit version with /HIGHENTROPYVA where supported). For DEP add /NXCOMPAT (but thats the default nearly anywhere).

Downside is, that mingw has problems with those two... :-(

(see https://blogs.technet.microsoft.com/srd/2010/12/08/on-the-effectiveness-of-dep-and-aslr/)

[behackett]

I'm not too worried about mingw. I'm (currently) only targeting VC++. Will any of these options cause problems when CPython itself was built without them? CPython seems to be sensitive to extensions being built with the same flags it was built with.

[schlenk]

It works fine. pyca/cryptography added the flags to their build for 2.7.

Its not super useful if Python isn't using ASLR itself, but one can patch ASLR support into the binary with Microsofts EMET or via editbin.exe, its just a bunch of PE header flags.

[behackett]

Great. Thanks for the suggestion. I'll take a look at how cryptography handles it as inspiration.

[behackett]

pyca/cryptography adds the flags here:

https://github.com/pyca/cryptography/blob/b5804e02d72c1f80a6db494979c1b9533516b462/src/_cffi_src/utils.py#L88

[schlenk]

Yes, you probably don't need all those extra complexity they get from using CFFI (unless you wish to use cffi yourself, to support pypy too). Simply adding to link flags should be good enough.

[behackett]

Seems to work without issue on my 32 and 64bit Windows 7 VMs for all the CPython versions we support.