Dafny’s trusted computing base (TCB) is excessively large, undermining end-to-end assurance. Method: We present the first formally verified compiler backend from Dafny to CakeML. In HOL4, we define a functional big-step semantics for Dafny’s intermediate representation (IR); leverage the CakeML verified compiler framework to implement a semantics-preserving translation from Dafny IR to CakeML—a fully verified subset of Standard ML in HOL4; and complete an end-to-end correctness proof. Contribution/Results: This work establishes the first certified compilation chain from Dafny to a formally verified target language, drastically reducing the TCB. Unlike existing backends (e.g., to C or JVM), our backend introduces no unverified compilation steps. It thus provides critical infrastructure for full-stack formal verification of Dafny programs—enabling verified compilation all the way to machine code via CakeML’s verified pipeline.

Dafny is a verification-aware programming language that allows developers to formally specify their programs and prove them correct. Currently, a Dafny program is compiled in two steps: First, a backend translates the input program to a high-level target language like C# or Rust. Second, the translated program is compiled using the target language's toolchain. Recently, an intermediate representation (IR) has been added to Dafny that serves as input to new backends. At the time of writing, none of these steps are verified, resulting in both the backend and the target language's toolchain being part of Dafny's trusted computing base (TCB). To reduce Dafny's TCB, we started developing a new backend that translates Dafny to CakeML, a verified, bootstrapped subset of Standard ML, in the interactive theorem prover HOL4. We also started to define functional big-step semantics for the Dafny IR to prove correctness of the backend.