Addressing the critical operating-system challenge of device-driver security, this paper presents the first end-to-end formal verification of a high-performance Ethernet NIC driver, eliminating kernel crashes and privilege-escalation vulnerabilities caused by driver bugs. Methodologically, we introduce Pancake—a verification-friendly systems programming language; construct a semantics-preserving compilation chain grounded in the CakeML verified compiler backend; and design an automated source-to-Viper translation mechanism, thereby closing the full verification loop. Our principal contributions are: (1) the first fully stack-verified high-performance NIC driver; (2) rigorous, machine-checked guarantee of semantic equivalence between source code and generated binary; and (3) comprehensive verification coverage spanning memory safety, concurrent correctness, and I/O protocol compliance.

Device driver bugs are the leading cause of OS compromises, and their formal verification is therefore highly desirable. To the best of our knowledge, no realistic and performant driver has been verified for a non-trivial device. We propose Pancake, an imperative language for systems programming that features a well-defined and verification-friendly semantics. Leveraging the verified compiler backend of the CakeML functional language, we develop a compiler for Pancake that guarantees that the binary retains the semantics of the source code. Usng automatic translation of Pancake to the Viper SMT front-end, we verify a performant driver for an Ethernet NIC.