SECOMP: Formally Secure Compilation of Compartmentalized C Programs
Jérémy Thibault, Roberto Blanco, Dongjae Lee, Sven Argo, Arthur Azevedo de Amorim, Aïna Linn Georges, Catalin Hritcu, Andrew Tolmach
TL;DR
SECOMP delivers a formally secure compiler for compartmentalized C by extending CompCert with isolated compartments and a shadow-stack mechanism to enforce cross-compartment control. The approach combines a machine-checked correctness proof with a secure compilation proof structure based on back-translation, recomposition, and blame, culminating in a robust preservation of safety properties against adversarial contexts $RSC^{DC}_{MD}$ for targeted trace prefixes. Key innovations include a memory-injection-based memory model, informative traces for back-translation, and a three-way recomposition framework, reinforced by a capability-based enforcement backend on CHERI-RISC-V. The work demonstrates a practical path toward secure compilation of mainstream languages, scalable through proof engineering techniques and modular extensions of an industrial-strength compiler. Future work targets more realistic IPC, memory sharing, diverse backends, and broader hardware targets, aiming to raise SECOMP toward hypersafety guarantees.
Abstract
Undefined behavior in C often causes devastating security vulnerabilities. One practical mitigation is compartmentalization, which allows developers to structure large programs into mutually distrustful compartments with clearly specified privileges and interactions. In this paper we introduce SECOMP, a compiler for compartmentalized C code that comes with machine-checked proofs guaranteeing that the scope of undefined behavior is restricted to the compartments that encounter it and become dynamically compromised. These guarantees are formalized as the preservation of safety properties against adversarial contexts, a secure compilation criterion similar to full abstraction, and this is the first time such a strong criterion is proven for a mainstream programming language. To achieve this we extend the languages of the CompCert verified C compiler with isolated compartments that can only interact via procedure calls and returns, as specified by cross-compartment interfaces. We adapt the passes and optimizations of CompCert as well as their correctness proofs to this compartment-aware setting. We then use compiler correctness as an ingredient in a larger secure compilation proof that involves several proof engineering novelties, needed to scale formally secure compilation up to a C compiler.