Neural networks exhibit sensitivity to input perturbations, and existing global robustness certification methods rely on unverified approximation algorithms—e.g., power iteration—introducing soundness violations and implementation flaws. To address this, we propose the first end-to-end formally verified robustness certifier, implemented in Dafny. Our approach rigorously formalizes global robustness, employs exact linear algebraic computations (avoiding floating-point approximations), and establishes mathematical soundness via program specification and inductive invariants. Crucially, the entire certification procedure—including all auxiliary routines—is mechanically verified, eliminating approximation errors and untrusted code. This yields the first certification framework with end-to-end formal soundness guarantees. Experimental evaluation uncovers concrete counterexamples to several widely used approximate methods, demonstrating both their unsoundness in practice and the superior reliability of our verified certifier. The work significantly advances the trustworthiness and security of neural network robustness certification.

Neural networks are often susceptible to minor perturbations in input that cause them to misclassify. A recent solution to this problem is the use of globally-robust neural networks, which employ a function to certify that the classification of an input cannot be altered by such a perturbation. Outputs that pass this test are called certified robust. However, to the authors' knowledge, these certification functions have not yet been verified at the implementation level. We demonstrate how previous unverified implementations are exploitably unsound in certain circumstances. Moreover, they often rely on approximation-based algorithms, such as power iteration, that (perhaps surprisingly) do not guarantee soundness. To provide assurance that a given output is robust, we implemented and formally verified a certification function for globally-robust neural networks in Dafny. We describe the program, its specifications, and the important design decisions taken for its implementation and verification, as well as our experience applying it in practice.