Google on Thursday announced open sourcing a patch validation tool to help Android platform developers scan their code for missing security patches.
Called Vanir, the tool relies on automation to accelerate patch validation, helping original equipment manufacturers (OEMs) ensure that their devices receive security updates faster.
“By open sourcing Vanir, we aim to empower the broader security community to contribute to and benefit from this tool, enabling wider adoption and ultimately improving security across various ecosystems,” the internet giant says.
Vanir is meant to streamline the vulnerability mitigation workflow on Android, which is currently a multi-stage process where upstream AOSP developers push upstream patches and downstream manufacturers assess the impact and backport the fixes.
The process poses scalability challenges to manufacturers that manage a broad range of devices with complex update histories, and the new tool addresses them, ensuring devices receive protections in a timely manner, Google says.
Vanir relies on source-code-based static inspection to analyze entire codebases against known vulnerable code patterns, has low false-alarm rates, and can handle broad classes of code changes, effectively identifying missing patches.
According to Google, which has been using the tool for two years, users can generate signatures for supported vulnerabilities by providing Vanir with source files with security patches.
“Android’s successful use of Vanir highlights its efficiency compared to traditional patch verification methods. A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across its downstream branches – all within just five days,” Google says.
Now, Vanir supports C/C++ and Java, covering 95% of Android, Wear, and Pixel flaws in Android kernel and userspace that have public security patches. The signatures for Android flaws are published through the Open Source Vulnerabilities (OSV) database.
Fully open sourced under the BSD-3 license, Vanir is developed as a standalone application and a Python library and is integrated with a continuous testing pipeline in Google.
According to the internet giant, relatively small modifications could make Vanir suitable for other ecosystems as well, and for different purposes than security patch validation, such as licensed code detection or code clone detection.
Related: Android’s December 2024 Security Update Patches 14 Vulnerabilities
Related: GitHub Launches Fund to Improve Open Source Project Security
Related: Deepfence Open Sources Vulnerability Mapping Tool ‘ThreatMapper’
Related: Combating the Surge in Retail Theft and E-Commerce Fraud With Open Source Intelligence
