Existing program verification tools struggle to scale to large codebases due to their heavy reliance on manual intervention. This paper introduces Diodon, a modular verification methodology that partitions systems into a security-critical core and peripheral applications. It combines semi-automated (auto-active) verification—using Gobra to formally verify core protocol properties such as key confidentiality and injection resistance—with fully automated static analysis for the periphery. A key innovation is I/O independence verification: a static analysis technique that automatically enforces interface constraints and guarantees isolation of I/O behavior, ensuring peripheral code cannot compromise core security. Evaluated on an industrial-grade Go codebase exceeding 100,000 lines, Diodon required verification of only ~1% of the codebase as the core, achieving end-to-end security certification within three months. This approach significantly improves the feasibility and efficiency of verifying large-scale systems.

Existing program verifiers can prove advanced properties about security protocol implementations, but are difficult to scale to large codebases because of the manual effort required. We develop a novel methodology called *Diodon* that addresses this challenge by splitting the codebase into the protocol implementation (the *Core*) and the remainder (the *Application*). This split allows us to apply powerful semi-automated verification techniques to the security-critical Core, while fully-automatic static analyses scale the verification to the entire codebase by ensuring that the Application cannot invalidate the security properties proved for the Core. The static analyses achieve that by proving *I/O independence*, i.e., that the I/O operations within the Application are independent of the Core's security-relevant data (such as keys), and that the Application meets the Core's requirements. We have proved Diodon sound by first showing that we can safely allow the Application to perform I/O independent of the security protocol, and second that manual verification and static analyses soundly compose. We evaluate Diodon on two case studies: an implementation of the signed Diffie-Hellman key exchange and a large (100k+ LoC) production Go codebase implementing a key exchange protocol for which we obtained secrecy and injective agreement guarantees by verifying a Core of about 1% of the code with the auto-active program verifier Gobra in less than three person months.