This paper addresses the “attack inversion” problem in secure compilation: ensuring that if a source context cannot attack a source program, then no target context can attack the compiled program. We propose a structured back-translation method based on call-return trees, employing fine-grained (nanopass) tree transformations and ghost-state modeling to enforce execution invariants that guarantee semantic equivalence of attack behaviors. Our approach supports modular construction and forward simulation-based verification. We fully mechanize both the back-translation algorithm and its correctness proof within the Rocq theorem prover. Compared to conventional approaches, our method substantially reduces verification scale and engineering complexity across the secure compilation chain. It establishes a novel paradigm for verifiable secure compilation, enabling rigorous end-to-end security guarantees through compositional, semantics-preserving reasoning.

Researchers aim to build secure compilation chains enforcing that if there is no attack a source context can mount against a source program then there is also no attack an adversarial target context can mount against the compiled program. Proving that these compilation chains are secure is, however, challenging, and involves a non-trivial back-translation step: for any attack a target context mounts against the compiled program one has to exhibit a source context mounting the same attack against the source program. We describe a novel back-translation technique, which results in simpler proofs that can be more easily mechanized in a proof assistant. Given a finite set of finite trace prefixes, capturing the interaction recorded during an attack between a target context and the compiled program, we build a call-return tree that we back-translate into a source context producing the same trace prefixes. We use state in the generated source context to record the current location in the call-return tree. The back-translation is done in several small steps, each adding to the tree new information describing how the location should change depending on how the context regains control. To prove this back-translation correct we give semantics to every intermediate call-return tree language, using ghost state to store information and explicitly enforce execution invariants. We prove several small forward simulations, basically seeing the back-translation as a verified nanopass compiler. Thanks to this modular structure, we are able to mechanize this complex back-translation and its correctness proof in the Rocq prover without too much effort.