Index: src/OFObject.m
==================================================================
--- src/OFObject.m
+++ src/OFObject.m
@@ -327,10 +327,15 @@
 	objc_setEnumerationMutationHandler(enumerationMutationHandler);
 
 	do {
 		of_hash_seed = of_random32();
 	} while (of_hash_seed == 0);
+
+#ifdef OF_OBJFW_RUNTIME
+	objc_setTaggedPointerSecret(sizeof(uintptr_t) == 4
+	    ? (uintptr_t)of_random32() : (uintptr_t)of_random64());
+#endif
 }
 
 + (void)unload
 {
 }

Index: src/runtime/ObjFWRT.h
==================================================================
--- src/runtime/ObjFWRT.h
+++ src/runtime/ObjFWRT.h
@@ -242,10 +242,11 @@
     void *_Nullable bytes);
 extern void *_Nullable objc_destructInstance(id _Nullable object);
 extern void *_Null_unspecified objc_autoreleasePoolPush(void);
 extern void objc_autoreleasePoolPop(void *_Null_unspecified pool);
 extern id _Nullable _objc_rootAutorelease(id _Nullable object);
+extern void objc_setTaggedPointerSecret(uintptr_t secret);
 extern int objc_registerTaggedPointerClass(Class _Nonnull class);
 extern Class _Nullable object_getTaggedPointerClass(id _Nonnull object);
 extern uintptr_t object_getTaggedPointerValue(id _Nonnull object);
 extern id _Nullable objc_createTaggedPointer(int class, uintptr_t value);
 

Index: src/runtime/amiga-glue.m
==================================================================
--- src/runtime/amiga-glue.m
+++ src/runtime/amiga-glue.m
@@ -798,37 +798,45 @@
 	M68K_ARG(struct objc_hashtable *, table, a0)
 
 	objc_hashtable_free(table);
 }
 
-int
+void __saveds
+glue_objc_setTaggedPointerSecret PPC_PARAMS(uintptr_t secret)
+{
+	M68K_ARG(uintptr_t, secret, d0)
+
+	objc_setTaggedPointerSecret(secret);
+}
+
+int __saveds
 glue_objc_registerTaggedPointerClass PPC_PARAMS(Class class)
 {
 	M68K_ARG(Class, class, a0)
 
 	return objc_registerTaggedPointerClass(class);
 }
 
-Class
+Class __saveds
 glue_object_getTaggedPointerClass PPC_PARAMS(id object)
 {
 	M68K_ARG(id, object, a0)
 
 	return object_getTaggedPointerClass(object);
 }
 
-uintptr_t
+uintptr_t __saveds
 glue_object_getTaggedPointerValue PPC_PARAMS(id object)
 {
 	M68K_ARG(id, object, a0)
 
 	return object_getTaggedPointerValue(object);
 }
 
-id
+id __saveds
 glue_objc_createTaggedPointer PPC_PARAMS(int class, uintptr_t value)
 {
 	M68K_ARG(int, class, d0)
 	M68K_ARG(uintptr_t, value, d1)
 
 	return objc_createTaggedPointer(class, value);
 }

Index: src/runtime/amiga-library.m
==================================================================
--- src/runtime/amiga-library.m
+++ src/runtime/amiga-library.m
@@ -145,10 +145,11 @@
 extern struct objc_hashtable *glue_objc_hashtable_new(void);
 extern void glue_objc_hashtable_set(void);
 extern void *glue_objc_hashtable_get(void);
 extern void glue_objc_hashtable_delete(void);
 extern void glue_objc_hashtable_free(void);
+extern void glue_objc_setTaggedPointerSecret(void);
 extern int glue_objc_registerTaggedPointerClass(void);
 extern Class _Nullable glue_object_getTaggedPointerClass(void);
 extern uintptr_t glue_object_getTaggedPointerValue(void);
 extern id _Nullable glue_objc_createTaggedPointer(void);
 
@@ -675,10 +676,11 @@
 	(CONST_APTR)glue_objc_hashtable_new,
 	(CONST_APTR)glue_objc_hashtable_set,
 	(CONST_APTR)glue_objc_hashtable_get,
 	(CONST_APTR)glue_objc_hashtable_delete,
 	(CONST_APTR)glue_objc_hashtable_free,
+	(CONST_APTR)glue_objc_setTaggedPointerSecret,
 	(CONST_APTR)glue_objc_registerTaggedPointerClass,
 	(CONST_APTR)glue_object_getTaggedPointerClass,
 	(CONST_APTR)glue_object_getTaggedPointerValue,
 	(CONST_APTR)glue_objc_createTaggedPointer,
 	(CONST_APTR)-1,

Index: src/runtime/amigaos3.sfd
==================================================================
--- src/runtime/amigaos3.sfd
+++ src/runtime/amigaos3.sfd
@@ -88,10 +88,11 @@
 void glue_objc_hashtable_set(struct objc_hashtable *_Nonnull table, const void *_Nonnull key, const void *_Nonnull object)(a0,a1,a2)
 void *_Nullable glue_objc_hashtable_get(struct objc_hashtable *_Nonnull table, const void *_Nonnull key)(a0,a1)
 void glue_objc_hashtable_delete(struct objc_hashtable *_Nonnull table, const void *_Nonnull key)(a0,a1)
 void glue_objc_hashtable_free(struct objc_hashtable *_Nonnull table)(a0)
 * Public functions again
+void glue_objc_setTaggedPointerSecret(uintptr_t secret)(d0)
 int glue_objc_registerTaggedPointerClass(Class _Nonnull class_)(a0)
 Class _Nullable glue_object_getTaggedPointerClass(id _Nonnull object)(a0)
 uintptr_t glue_object_getTaggedPointerValue(id _Nonnull object)(a0)
 id _Nullable glue_objc_createTaggedPointer(int class_, uintptr_t value)(d0,d1)
 ==end

Index: src/runtime/lookup-asm/lookup-asm-x86-elf.S
==================================================================
--- src/runtime/lookup-asm/lookup-asm-x86-elf.S
+++ src/runtime/lookup-asm/lookup-asm-x86-elf.S
@@ -61,15 +61,17 @@
 	add	eax, offset _GLOBAL_OFFSET_TABLE_
 	lea	eax, [eax+\not_found@GOTOFF]
 	jmp	eax
 
 .Ltagged_pointer_\name:
-	and	dl, 0xE
-	movzx	edx, dl
-
 	call	get_eip
 	add	eax, offset _GLOBAL_OFFSET_TABLE_
+
+	lea	ecx, [eax+objc_tagged_pointer_secret@GOTOFF]
+	xor	edx, [ecx]
+	and	dl, 0xE
+	movzx	edx, dl
 
 	lea	eax, [eax+objc_tagged_pointer_classes@GOTOFF]
 	mov	edx, [eax+edx*2]
 	mov	edx, [edx+32]
 

Index: src/runtime/lookup-asm/lookup-asm-x86_64-elf.S
==================================================================
--- src/runtime/lookup-asm/lookup-asm-x86_64-elf.S
+++ src/runtime/lookup-asm/lookup-asm-x86_64-elf.S
@@ -54,10 +54,12 @@
 	jz	short \not_found@PLT
 
 	ret
 
 .Ltagged_pointer_\name:
+	mov	rax, [rip+objc_tagged_pointer_secret@GOTPCREL]
+	xor	rdi, [rax]
 	and	dil, 0xE
 	movzx	r8, dil
 
 	mov	rax, [rip+objc_tagged_pointer_classes@GOTPCREL]
 	mov	r8, [rax+r8*4]

Index: src/runtime/lookup-asm/lookup-asm-x86_64-macho.S
==================================================================
--- src/runtime/lookup-asm/lookup-asm-x86_64-macho.S
+++ src/runtime/lookup-asm/lookup-asm-x86_64-macho.S
@@ -52,10 +52,12 @@
 	jz	$1
 
 	ret
 
 Ltagged_pointer_$0:
+	mov	rax, [rip+objc_tagged_pointer_secret@GOTPCREL]
+	xor	rdi, [rax]
 	and	dil, 0xE
 	movzx	r8, dil
 
 	mov	rax, [rip+_objc_tagged_pointer_classes]
 	mov	r8, [rax+r8*4]

Index: src/runtime/morphos-clib.h
==================================================================
--- src/runtime/morphos-clib.h
+++ src/runtime/morphos-clib.h
@@ -83,9 +83,10 @@
 void glue_objc_hashtable_set(struct objc_hashtable *, const void *, const void *);
 void *glue_objc_hashtable_get(struct objc_hashtable *, const void *);
 void glue_objc_hashtable_delete(struct objc_hashtable *, const void *);
 void glue_objc_hashtable_free(struct objc_hashtable *);
 /* Public functions again */
+void glue_objc_setTaggedPointerSecret(uintptr_t);
 int glue_objc_registerTaggedPointerClass(Class);
 Class _Nullable glue_object_getTaggedPointerClass(id);
 uintptr_t glue_object_getTaggedPointerValue(id);
 id glue_objc_createTaggedPointer(int, uintptr_t);

Index: src/runtime/morphos.fd
==================================================================
--- src/runtime/morphos.fd
+++ src/runtime/morphos.fd
@@ -86,10 +86,11 @@
 glue_objc_hashtable_set(table,key,object)(sysv,r12base)
 glue_objc_hashtable_get(table,key)(sysv,r12base)
 glue_objc_hashtable_delete(table,key)(sysv,r12base)
 glue_objc_hashtable_free(table)(sysv,r12base)
 * Public functions again
+glue_objc_setTaggedPointerSecret(secret)(sysv,r12base)
 glue_objc_registerTaggedPointerClass(class_)(sysv,r12base)
 glue_object_getTaggedPointerClass(object)(sysv,r12base)
 glue_object_getTaggedPointerValue(object)(sysv,r12base)
 glue_objc_createTaggedPointer(class_,value)(sysv,r12base)
 ##end

Index: src/runtime/tagged-pointer.m
==================================================================
--- src/runtime/tagged-pointer.m
+++ src/runtime/tagged-pointer.m
@@ -22,10 +22,17 @@
 #define TAGGED_POINTER_BITS 4
 #define NUM_TAGGED_POINTER_CLASSES (1 << (TAGGED_POINTER_BITS - 1))
 
 Class objc_tagged_pointer_classes[NUM_TAGGED_POINTER_CLASSES];
 static int taggedPointerClassesCount;
+uintptr_t objc_tagged_pointer_secret;
+
+void
+objc_setTaggedPointerSecret(uintptr_t secret)
+{
+	objc_tagged_pointer_secret = secret & ~(uintptr_t)1;
+}
 
 int
 objc_registerTaggedPointerClass(Class class)
 {
 	int i;
@@ -46,11 +53,11 @@
 }
 
 Class
 object_getTaggedPointerClass(id object)
 {
-	uintptr_t pointer = (uintptr_t)object;
+	uintptr_t pointer = (uintptr_t)object ^ objc_tagged_pointer_secret;
 
 	pointer &= (1 << TAGGED_POINTER_BITS) - 1;
 	pointer >>= 1;
 
 	if (pointer >= NUM_TAGGED_POINTER_CLASSES)
@@ -60,11 +67,11 @@
 }
 
 uintptr_t
 object_getTaggedPointerValue(id object)
 {
-	uintptr_t pointer = (uintptr_t)object;
+	uintptr_t pointer = (uintptr_t)object ^ objc_tagged_pointer_secret;
 
 	pointer >>= TAGGED_POINTER_BITS;
 
 	return pointer;
 }
@@ -81,7 +88,7 @@
 		return nil;
 
 	pointer = (class << 1) | 1;
 	pointer |= (value << TAGGED_POINTER_BITS);
 
-	return (id)pointer;
+	return (id)(pointer ^ objc_tagged_pointer_secret);
 }