Insecure access through null-pointers

Consider a tuple type big enough to fill the entire memory space. Take a pointer to that type and instantiate it to NULL. Adding to this pointer will allow an attacker to obtain a pointer to any address at \(null + a \cdot x\) where \(x\) is an integer and \(a\) is the smallest possible type.

The attacker can read from this location if the pointer type is set to a suitably low level. The attacker controls the level of the pointer type, so this is not a hindrance.

A mitigation for this attack is disallowing dereferencing pointers that originated as NULL. This can be done through pointer versioning. If null-pointers are assigned a version that is never usable in any context, they will never be usable, even after being used in pointer arithmetic, since pointer arithmetic does not affect the pointer version.