making NIL unwritable

In a discussion at work, we were discussing how one could modify NIL
in safety 0 and hose the system:
(defun foo (x y) (declare (optimize (safety 0))) (rplaca x y))
(foo nil 1)
Of course, with safety 0, anything goes; but it is probably possible
to have a more robust system nonetheless.

For extra safety, one colleague then suggested putting NIL in a read-only page,
problem being that you might still want to have its plist be writable.
Solution: either special-case symbol-plist for NIL, or have it always
be indirect,
or have a special marker saying it's indirect, or putting it on the
fence between
a readonly page and a writable page, such that you can write the plist
but not other fields.

One advantage of the plist being indirect would be that there could be
a more general class
of unwritable CONS cells, possibly allocated in readonly pages, and
source code, constants,
backquote results, etc., could be made of such unwritable CONS cells.

Just a random idea.

—♯ƒ • François-René ÐVB Rideau •Reflection&Cybernethics• http://fare.tunes.org
Fraud is the homage that force pays to reason.  — Charles Curtis

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and