Vanir: Open-source security patch validation for Android
Google’s open-source tool Vanir enables Android developers to quickly scan custom platform code for missing or applicable security patches. By automating patch validation, Vanir helps OEMs deliver critical security updates faster, enhancing the security of the Android ecosystem.
Vanir uses source-code-based static analysis to identify vulnerable code patterns directly. Unlike traditional metadata-based methods prone to errors, Vanir can analyze entire codebases, individual files, or partial snippets with full accuracy.
Vanir automates the costly, time-intensive process of identifying missing security patches in open-source software. Manual methods risk leaving devices exposed to vulnerabilities, prompting Vanir’s development of automatic signature refinement techniques and multi-pattern analysis algorithms. These algorithms maintain low false-alarm rates (2.72% over two years) and handle diverse code changes, reducing manual review while detecting missing patches.
Vanir’s source-code-based approach scales across ecosystems, generating and refining signatures for any supported language. Users can create signatures for new vulnerabilities by simply providing patched source files.
Android’s adoption of Vanir demonstrates its impact: a single engineer generated signatures for 150 vulnerabilities and verified missing patches across downstream branches in five days, far outperforming traditional methods.
“Currently Vanir supports C/C++ and Java targets and covers 95% of Android kernel and userspace CVEs with public security patches. Google Android Security team consistently incorporates the latest CVEs into Vanir’s coverage to provide a complete picture of the Android ecosystem’s patch adoption risk profile,” Google’s Open Source Security Team explained.
“The Vanir signatures for Android vulnerabilities are published through the Open Source Vulnerabilities (OSV) database. This allows Vanir users to seamlessly protect their codebases against latest Android vulnerabilities without any additional updates. Currently, there are over 2,000 Android vulnerabilities in OSV, and finishing scanning an entire Android source tree can take 10-20 minutes with a modern PC,” the team added.
Vanir is available both as a standalone application and a Python library. Users can integrate automated patch verification into their continuous build or testing workflows by connecting their build tools to Vanir’s scanner libraries.
Vanir is available for free download on GitHub.
Must read:
- 33 open-source cybersecurity solutions you didn’t know you needed
- 20 free cybersecurity tools you might have missed
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time