Undefined behavior in C often causes devastating security vulnerabilities. One practical mitigation is compartmentalization, which allows developers to structure large programs into mutually distrustful compartments with clearly specified privileges and interactions. In this paper we introduce SECOMP, a compiler for compartmentalized C code that comes with machine-checked proofs guaranteeing that the scope of undefined behavior is restricted to the compartments that encounter it and become dynamically compromised. These guarantees are formalized as the preservation of safety properties against adversarial contexts, a secure compilation criterion similar to full abstraction, and this is the first time such a strong criterion is proven for a mainstream programming language. To achieve this we extend the languages of the CompCert verified C compiler with isolated compartments that can only interact via procedure calls and returns, as specified by cross-compartment interfaces. We adapt the passes and optimizations of CompCert as well as their correctness proofs to this compartment-aware setting. We then use compiler correctness as an ingredient in a larger secure compilation proof that involves several proof engineering novelties, needed to scale formally secure compilation up to a C compiler.

翻译：C语言中的未定义行为常导致严重的安全漏洞。一种实用的缓解措施是分区化，它允许开发者将大型程序组织成相互不信任的分区，各分区具有明确指定的权限与交互方式。本文介绍SECOMP——一个针对分区化C代码的编译器，其配备机器可验证的证明，确保未定义行为的影响范围仅限于遭遇该行为并动态受损的分区。这些保证被形式化为对抗性环境下安全特性的保持，这是一种类似于完全抽象的安​​全编译准则，且首次在主流编程语言中证明了如此强的准则。为实现这一目标，我们在CompCert验证C编译器的语言基础上扩展了隔离分区机制，分区仅能通过过程调用与返回进行交互，具体方式由跨分区接口规定。我们调整了CompCert的编译阶段、优化算法及其正确性证明，使其适应这种分区感知的编译环境。随后，我们将编译器正确性作为构建更宏大的安全编译证明的组成部分，其中涉及多项证明工程创新，这些创新是实现C编译器形式化安全编译规模化所必需的。