Undefined behavior in C often causes devastating security vulnerabilities. One practical mitigation is compartmentalization, which allows developers to structure large programs into mutually distrustful compartments with clearly specified privileges and interactions. In this paper we introduce SECOMP, a compiler for compartmentalized C code that comes with machine-checked proofs guaranteeing that the scope of undefined behavior is restricted to the compartments that encounter it and become dynamically compromised. These guarantees are formalized as the preservation of safety properties against adversarial contexts, a secure compilation criterion similar to full abstraction, and this is the first time such a strong criterion is proven for a mainstream programming language. To achieve this we extend the languages of the CompCert verified C compiler with isolated compartments that can only interact via procedure calls and returns, as specified by cross-compartment interfaces. We adapt the passes and optimizations of CompCert as well as their correctness proofs to this compartment-aware setting. We then use compiler correctness as an ingredient in a larger secure compilation proof that involves several proof engineering novelties, needed to scale formally secure compilation up to a C compiler.

翻译：C语言中的未定义行为常导致严重的安全漏洞。一种实用的缓解措施是分区化，允许开发者将大型程序组织成相互不信任的分区，并明确指定其权限和交互。本文提出SECOMP——一款面向分区化C代码的编译器，它附带机器验证的证明，保证未定义行为的作用范围仅限于遭遇该行为并被动态攻陷的分区。这些保证被形式化为面向敌手上下文的 safety 属性保持（一种与完全抽象类似的安全编译准则），这是首次为主流编程语言证明如此强的准则。为实现此目标，我们将CompCert验证C编译器的语言扩展为包含隔离分区，这些分区仅能通过跨分区接口规定的过程调用与返回进行交互。我们调整了CompCert的编译遍及其正确性证明，使其适应这种分区感知环境。进而将编译器正确性作为大规模安全编译证明的要素之一，该证明涉及多项证明工程创新，以将形式化安全编译扩展至C编译器规模。