This work addresses state safety in F* when verified and unverified code dynamically share ML-style mutable references. We propose SecRef*, a secure compilation framework that introduces the first monadic representation of F*’s Monotonic State effect. Our approach features a reference sharability classification mechanism and a higher-order contract-driven dynamic checking transformation, ensuring immutability of non-shared references at trusted call boundaries. By tightly integrating refinement types, runtime checks, and formal verification, we deliver end-to-end proofs of memory safety and semantic consistency. The framework has been deployed in a formally verified cooperative multithreaded scheduler, enabling safe interoperability between verified and unverified code components.

We introduce SecRef*, a secure compilation framework protecting stateful programs verified in F* against linked unverified code, with which the program dynamically shares ML-style mutable references. To ease program verification in this setting, we propose a way of tracking which references are shareable with the unverified code, and which ones are not shareable and whose contents are thus guaranteed to be unchanged after calling into unverified code. This universal property of non-shareable references is exposed in the interface on which the verified program can rely when calling into unverified code. The remaining refinement types and pre- and post-conditions that the verified code expects from the unverified code are converted into dynamic checks about the shared references by using higher-order contracts. We prove formally in F* that this strategy ensures sound and secure interoperability with unverified code. Since SecRef* is built on top of the Monotonic State effect of F*, these proofs rely on the first monadic representation for this effect, which is a contribution of our work that can be of independent interest. Finally, we use SecRef* to build a simple cooperative multi-threading scheduler that is verified and that securely interacts with unverified threads.