Samuel Gruetter

Email: firstname dot lastname at inf dot ethz dot ch

Office address:
ETH Zurich Systems Group
STF H 313
Stampfenbachstrasse 114
8092 Zürich
Switzerland

Full CV: here

I am a postdoc in Prof. Timothy (Mothy) Roscoe’s group, in the Systems Group of the Department of Computer Science at ETH Zürich.

My background is in formal methods. I did my PhD at MIT in Prof. Adam Chlipala’s group, working on machine-checked end‑to‑end proofs about software-hardware stacks.

Now, as a postdoc in Mothy’s group, I am excited to learn about real operating systems and to apply formal methods to systems research.

Currently, I am leading the development of Sockeye, a domain-specific language and analysis tool to formalize and analyze hardware reference manuals of Systems-on-a-Chip (SoCs). It supports both automated bug finding as well as proving security properties about hardware platforms and their configurations, and comes with a growing library of specifications of a diverse range of hardware platforms, unifying code by more than a dozen contributors.

Past Projects

I invented Live Verification, a software development method that enables programmers to formally verify their code at the time they write it. After each line of code that the programmer wrote, the tool displays a concise summary of everything it knows about the current state of the program, which can inform the programmer on what the next line of code should be, and once the programmer is done writing a function, the displayed summary of the symbolic state can be turned into a proof of a postcondition. I implemented the tool in the interactive theorem prover Coq (now called Rocq), so in order to trust proofs about programs written in it, one only needs to trust the language semantics and Coq’s proof-checking kernel, but not the implementation of the Live Verification tool itself.
Trouble combining undefined behavior and nondeterminism? ➔ Try omnisemantics!
While working on Bedrock2, my colleague Andres Erbsen and me came up with a style of programming language semantics that we think works much better in the presence of undefined behavior and nondeterminism than using traditional smallstep or bigstep operational semantics would. A little later, our advisor Adam Chlipala chatted with Arthur Charguéraud and they found out that he had discovered the same style of semantics as well, but was using it for functional languages, while we were using it for imperative languages. Together, we wrote a paper about it, or if you prefer just a short introduction, you can also check out this blog post.
With my colleague Andres Erbsen, I developed Bedrock2, a program logic to formally verify systems code.
I developed formal RISC-V ISA semantics in Coq that support a wide range of use cases.
I wrote a formally verified compiler in Coq from a small subset of C (as specified by Bedrock2) to RISC-V machine code (as specified by riscv-coq). It enabled several research projects of me as well as of my colleagues, including end-to-end systems proofs that cross the software-hardware boundary, a formally verified cryptographic server, proofs about a trap handler combining C and assembly, a compiler extension to support proving running-time bounds, another extension to prove cryptographic constant time, and it also served as a case study to illustrate the advantages of omnisemantics. I wrote up its design considerations in Chapter 3 of my thesis.
I was visiting Dr. Toby Murray at the University of Melbourne for 10 weeks to work on information flow control proofs for C.
For a six months master thesis internship, I was working with Prof. Andrew Appel’s group at Princeton, improving the proof automation tactics of their Verified Software Toolchain. (VST), and using it to verify the AES encryption implementation of mbed TLS.
During my master’s at EPFL, I was working with Prof. Martin Odersky’s Scala lab on the Dependent Object Types project, a formalization of the core of Scala’s type system, writing proofs on paper and using the proof assistants Twelf and Coq.
For a class project at EPFL, I contributed to the function termination checker of Leon, a tool for verification and synthesis of Scala programs by Prof. Viktor Kuncak’s group.
While working at the Scala lab, I contributed to dotty, a new Scala compiler serving as a research platform to investigate new language concepts and compiler technologies for Scala, which eventually became the compiler for Scala 3.
For my bachelor thesis, I designed, explored and implemented a simple structurally typed language in PLT redex.

Publications

[11]	Andy Tockman, Pratap Singh, Andres Erbsen, Samuel Gruetter, and Adam Chlipala. Foundational Verification of Running-Time Bounds for Interactive Programs. Proceedings of the 15th ACM SIGPLAN International Conference on Certified Programs and Proofs, pages 187--200, January 2026. [ DOI \| PDF \| code ]
[10]	Samuel Gruetter, Thomas Bourgeat, and Adam Chlipala. Verifying Software Emulation of an Unsupported Hardware Instruction. 15th International Conference on Interactive Theorem Proving (ITP 2024), 309, September 2024. [ DOI \| PDF \| code ]
[9]	Samuel Gruetter, Viktor Fukala, and Adam Chlipala. Live Verification in an Interactive Proof Assistant. Proceedings of the ACM on Programming Languages, 8(PLDI), June 2024. [ DOI \| PDF \| code ]
[8]	Andres Erbsen, Jade Philipoom, Dustin Jamner, Ashley Lin, Samuel Gruetter, Clément Pit-Claudel, and Adam Chlipala. Foundational Integration Verification of a Cryptographic Server. Proceedings of the ACM on Programming Languages, 8(PLDI), June 2024. [ DOI \| PDF \| code ]
[7]	Thomas Bourgeat, Ian Clester, Andres Erbsen, Samuel Gruetter, Pratap Singh, Andy Wright, and Adam Chlipala. Flexible Instruction-Set Semantics via Abstract Monads (Experience Report). Proceedings of the ACM on Programming Languages, 7(ICFP), August 2023. [ DOI \| PDF \| code ]
[6]	Arthur Charguéraud, Adam Chlipala, Andres Erbsen, and Samuel Gruetter. Omnisemantics: Smooth Handling of Nondeterminism. ACM Transactions on Programming Languages and Systems, 45(1), March 2023. [ DOI \| PDF \| code ]
[5]	Andres Erbsen, Samuel Gruetter, Joonwon Choi, Clark Wood, and Adam Chlipala. Integration Verification Across Software and Hardware for a Simple Embedded System. PLDI 2021: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation, June 2021. [ DOI \| PDF \| code ]
[4]	Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W. Appel. VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs. Journal of Automated Reasoning, 61(1-4), June 2018. [ DOI \| PDF \| code ]
[3]	Samuel Gruetter and Toby Murray. Short Paper: Towards Information Flow Reasoning about Real-World C Code. PLAS '17: Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security, October 2017. [ DOI \| PDF \| code ]
[2]	Samuel Gruetter, Daniel Graf, and Benjamin Schmid. Watch them Fight! Creativity Task Tournaments of the Swiss Olympiad in Informatics. Olympiads in Informatics, 10(1), July 2016. [ DOI \| PDF \| code ]
[1]	Nada Amin, Samuel Gruetter, Martin Odersky, Tiark Rompf, and Sandro Stucki. The Essence of Dependent Object Types. A List of Successes That Can Change the World: Essays Dedicated to Philip Wadler on the Occasion of His 60th Birthday (WadlerFest), (Lecture Notes in Computer Science LNTCS, volume 9600), March 2016. [ DOI \| PDF \| code ]

Preprints, Theses, Reports

[10]	Ben Fiedler, Samuel Gruetter, and Timothy Roscoe. Sockeye: A language for analyzing hardware documentation, April 2026. [ DOI \| PDF \| code ]
[9]	Samuel Gruetter. Techniques for Foundational End-to-End Verification of Systems Stacks. PhD thesis, MIT, September 2024. [ PDF ]
[8]	Samuel Gruetter. Counterexamples for Coq Conjectures. CoqPL'19, January 2019. [ PDF \| code ]
[7]	Samuel Gruetter and Toby C. Murray. VST-Flow: Fine-grained low-level reasoning about real-world C code. Technical report, University of Melbourne, September 2017. [ PDF \| code ]
[6]	Samuel Gruetter. Improving the Coq proof automation tactics of the Verified Software Toolchain, based on a case study on verifying a C implementation of the AES encryption algorithm. MSc thesis, EPFL/Princeton University, April 2017. [ PDF \| code ]
[5]	Samuel Gruetter. Connecting Scala to DOT. MSc semester project, EPFL, June 2016. [ PDF \| code ]
[4]	Samuel Gruetter. Dependent Object Types With Existential Quantification Over Objects. Research report, EPFL, July 2015. [ PDF \| code ]
[3]	Samuel Gruetter. Improving Leon's Termination Checker. Project report, EPFL, June 2015. [ PDF \| code ]
[2]	Samuel Gruetter. Machine-checked typesafety proofs. MSc semester project, EPFL, June 2014. [ PDF \| code ]
[1]	Samuel Gruetter. Explorations of type systems. BSc semester project, EPFL, June 2013. [ PDF \| code ]

Education

September 2024: PhD in Computer Science at MIT with Prof. Adam Chlipala’s Programming Languages and Verification Group
April 2017: MSc in Computer Science from EPFL in Lausanne, Switzerland
July 2013: BSc in Computer Science from EPFL

Industry Experience

Summer 2021: At Google Research, worked on the Silver Oak Project, using Bedrock2 to formally verify drivers for peripherals used in the OpenTitan root of trust, and connected software correctness proofs to hardware correctness proofs
Summer 2019: Worked with Rustan Leino at Amazon’s Automated Reasoning Group on a prototype rewrite of Amazon’s S3 Encryption Client in Dafny, a verification-aware programming language. Wrote and proved specifications for software interacting with real-world systems such as Amazon’s S3 storage service
Fall 2015: 6 months Software Engineering Internship at Netcetera AG, Berne, working in a scrum team, developing a Web Application with a Java/Oracle DB/Spring backend and an AngularJS/TypeScript frontend
Summer 2012: Java Internship at Accenture in Bangalore (India), developed a web interface with JSF/Enterprise JavaBeans monitoring hundreds of servers and databases