Verifying a Binary Micro-Hypervisor Intercept Handler

Hypervisors provide a security foundation of cloud computing, yet have suffered exploits. Efforts at formal verification have included codevelopment (XMHF) and interactive theorem proving (seL4). A technique that can be quickly applied to existing hypervisors is desirable. We examine binaries by extending the Binary Analysis Platform (BAP) to include the required system mode instructions used by hypervisors. We translate the BAP output to Boogie, a language which is then converted to an SMT formula, and define a security property that the hypervisor response to guest execution does not modify the hypervisor code pages. We use BAP and Boogie to automatically detect one ported and two injected bugs and verify that 1000 random traces through the intercept handler do not violate our property. We identify constructs that are difficult to verify automatically. Our tool should be usable in analyzing other hypervisors.