Undefined behavior (UB) in C programs can propagate security vulnerabilities across module boundaries. This paper presents the first end-to-end machine-verified secure compiler that confines UB effects via memory compartments—logically isolated execution units—thereby preventing cross-compartment attack propagation. Methodologically, it introduces the first machine-checked proof of a fully abstract, type-safety–based secure compilation criterion for C; proposes an interface-driven compartment isolation semantics and a modular, extensible secure compilation proof framework; and extends CompCert with compartment semantics, re-verifying critical optimizations while jointly proving both compiler correctness and adversarial contextual security. The system supports formal verification from C source code to ARM/Clang target binaries, guaranteeing that compartment crashes—even under malicious host environments—preserve global security invariants.

Undefined behavior in C often causes devastating security vulnerabilities. One practical mitigation is compartmentalization, which allows developers to structure large programs into mutually distrustful compartments with clearly specified privileges and interactions. In this paper we introduce SECOMP, a compiler for compartmentalized C code that comes with machine-checked proofs guaranteeing that the scope of undefined behavior is restricted to the compartments that encounter it and become dynamically compromised. These guarantees are formalized as the preservation of safety properties against adversarial contexts, a secure compilation criterion similar to full abstraction, and this is the first time such a strong criterion is proven for a mainstream programming language. To achieve this we extend the languages of the CompCert verified C compiler with isolated compartments that can only interact via procedure calls and returns, as specified by cross-compartment interfaces. We adapt the passes and optimizations of CompCert as well as their correctness proofs to this compartment-aware setting. We then use compiler correctness as an ingredient in a larger secure compilation proof that involves several proof engineering novelties, needed to scale formally secure compilation up to a C compiler.