Of What Use is a Veri ed Compiler Speci cation ?

Program veri cation is normally performed on source code. However, it is the object code which is executed and so which ultimately must be correct. The compiler used to produce the object code must not introduce bugs. The majority of the compiler correctness literature is concerned with the veri cation of compiler speci cations rather than executable implementations. We discuss di erent ways that veri ed speci cations can be used to obtain implementations with varying degrees of security. In particular, we describe how a speci cation can be executed by proof. We discuss how this method can be used in conjunction with an insecure production compiler so as to retain security without slowing the development cycle of application programs. A veri ed implementation of a compiler in a high-level language is not su cient to obtain correct object code. The compiler must itself be compiled into a low-level language before it can be executed. At rst sight it appears we need an already veri ed compiler to obtain a secure low-level implementation of a compiler. We describe how a low-level implementation of a compiler can be securely obtained from a veri ed compiler speci cation.