Formal verification of systems software has long suffered from low developer engagement and high development/maintenance costs due to fragmented tooling environments and paradigm mismatches between programming and verification. This paper introduces C*, a novel language that deeply integrates formal verification capabilities into standard C syntax, enabling in-situ proof annotations directly within source code to unify programming and verification in a single, interactive environment. Its core contributions are threefold: (1) the first language-level verification paradigm anchored on standard C as a unified host; (2) an LCF-style trusted kernel-driven symbolic execution framework for sound verification; and (3) support for extensible logic libraries, programmable proof strategies, and automation mechanisms. The prototype system has successfully verified representative C programs and critical functions of the pKVM buddy allocator, covering mainstream C idioms. Results demonstrate significantly improved feasibility of verifying complex systems software and enhanced developer involvement.

Ensuring the correct functionality of systems software, given its safety-critical and low-level nature, is a primary focus in formal verification research and applications. Despite advances in verification tooling, conventional programmers are rarely involved in the verification of their own code, resulting in higher development and maintenance costs for verified software. A key barrier to programmer participation in verification practices is the disconnect of environments and paradigms between programming and verification practices, which limits accessibility and real-time verification. We introduce C*, a proof-integrated language design for C programming. C* extends C with verification capabilities, powered by a symbolic execution engine and an LCF-style proof kernel. It enables real-time verification by allowing programmers to embed proof-code blocks alongside implementation code, facilitating interactive updates to the current proof state. Its expressive and extensible proof support allows users to build reusable libraries of logical definitions, theorems, and programmable proof automation. Crucially, C* unifies implementation and proof code development by using C as the common language. We implemented a prototype of C* and evaluated it on a representative benchmark of small C programs and a challenging real-world case study: the attach function of pKVM's buddy allocator. Our results demonstrate that C* supports the verification of a broad subset of C programming idioms and effectively handles complex reasoning tasks in real-world scenarios.