Google has launched Vanir, an open-source tool to simplify and automate security patch validation.
First previewed at the Android Bootcamp in April, Vanir helps Android developers and OEMs quickly adopt security patches, enhancing Android ecosystem security.
Google Introduces Vanir
Vanir is the outcome of extensive research and development focused on simplifying the complexities of managing a wide range of devices with varying update histories.
It addresses the difficulties faced by developers and manufacturers in ensuring that security patches are effectively applied across different device configurations, helping to maintain consistent and robust security standards.
Vanir simplifies the traditionally time-consuming and error-prone process of identifying and applying vulnerability fixes by automating patch validation with source-code-based static analysis.
Instead of relying on metadata or repository history, it detects vulnerabilities by comparing source code against known patterns of weaknesses.
In Google’s internal tests, Vanir achieved a 97% accuracy rate, saving over 500 hours of manual work. This makes it especially valuable for OEMs, helping them quickly scale their efforts to protect devices from critical security threats.
Google reports that Vanir, initially designed for Android, is adaptable to other ecosystems due to its open-source framework.
- Supported Languages: C/C++ and Java, covering 95% of Android Kernel and userspace CVEs with public patches.
- Core Features: Advanced signature refinement and pattern analysis techniques allow it to detect missing patches, even amid extensive code changes.
- Integration Options: Available as a standalone application or a Python library for seamless use in build or test pipelines.
Google has integrated Vanir into its testing pipeline, enabling continuous verification of its extensive Android codebase. The tool is open-sourced under the BSD-3 license, encouraging contributions from the developer and security community. Vanir’s vulnerability signatures for Android are available through the Open Source Vulnerabilities (OSV) database, which covers over 2,000 vulnerabilities and allows seamless updates for users.
With the ability to scan entire Android source trees in just 10–20 minutes, Vanir is positioned as a key solution for efficient security patch management.
By making Vanir open-source, Google aims to empower developers worldwide to contribute to its growth and extend its functionality. Additionally, the tool’s flexibility opens opportunities for broader applications, such as licensed code detection and comprehensive code clone analysis.
Google invites community contributions to refine Vanir and strengthen security across Android and the wider software ecosystem.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment