Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.

中文翻译：

---

混合敏感性并发程序的经过验证的安全编译

仅通过源代码证明程序不会泄漏敏感数据会在推理和现实之间留下差距，只能通过考虑编译器的行为来填补。此外，软件并不总是可以将自己限制在单线程计算上，并且资源静态地专用于每个用户以确保其数据的机密性。这导致混合敏感并发程序，这可能会重用它们线程之间共享的内存来在不同时间保存不同敏感度级别的数据；对于此类程序，编译器必须保留价值依赖这样的协调混合敏感重用尽管受到影响并发. 在这里，我们使用 Isabelle/HOL 演示验证编译器是否保留不干涉，最严格的保密属性，用于混合敏感性并发程序。首先，我们提出了保留并发值依赖我们为支持此类计划而设计的不干涉概念。由于证明非干扰保留改进可能比通常用于验证语义保留编译的标准改进复杂得多，我们的概念包括将语义保留与安全保留问题分开的分解原则。其次，我们通过在单遍编译器上对使用互斥锁进行同步的混合敏感性并发程序（从通用命令式语言到通用 RISC 样式的汇编语言）进行验证，证明这些改进概念适用于经过验证的安全编译。最后，我们在一个非平凡的混合敏感性并发程序上执行我们的编译器，模拟一个真实世界的用例，从而自动将其源级非干扰属性保留到装配级模型。所有结果都在 Isabelle/HOL 交互式证明助手中进行了形式化和证明。我们的工作为功能更全的编译器为必须处理多个敏感级别数据的多线程软件开发人员提供经过验证的安全编译支持铺平了道路。