Hypervisors provide a security foundation of cloud computing, yet have suffered exploits. Efforts at formal verification have included codevelopment (XMHF) and interactive theorem proving (seL4). A technique that can be quickly applied to existing hypervisors is desirable. We examine binaries by extending the Binary Analysis Platform (BAP) to include the required system mode instructions used b...