Immediately, we’re introducing a novel open-source safety patch validation software solution. Introduced at the Android Bootcamp in April, Vanir offers a pioneering solution for Android platform developers, empowering them to swiftly identify and address any missing security patches within their customized platforms by providing real-time access to relevant updates. By streamlining the patch validation process through automation, Vanir enables original equipment manufacturers (OEMs) to ensure their units are safeguarded with critical security updates much faster than traditional methods. This enhancement reinforces the robustness of the Android ecosystem, thereby ensuring the continued security of Android users globally.
By open-sourcing Vanir, our aim is to enable the broader security community to contribute to and benefit from this software, fostering widespread adoption and ultimately enhancing safety across diverse ecosystems. Initially conceived for Android, Vanir’s versatility enables seamless adaptation to various ecosystems with minimal adjustments, rendering it a highly adaptable solution for bolstering software security across diverse platforms. Together with the Google Open Source Safety Group, we have incorporated feedback from our pioneering users to refine Vanir and further empower safety experts. So that you can start building upon, and seamlessly incorporating into, your applications.
The Android ecosystem relies on a multi-stage framework for effective vulnerability mitigation. When a newly discovered vulnerability emerges, upstream Android Open Source Project (AOSP) developers promptly craft and deploy patches. As a result, downstream machine manufacturers and semiconductor suppliers conduct thorough assessments of the impact on their specific devices and implement necessary updates. While this course is efficient, it still faces scalability challenges, especially for manufacturers handling diverse product lines and legacy models with complex update histories? Maneuvering effective patch protection across diverse, customized units necessitates considerable effort due to the manual nature of backporting.
To simplify and enhance critical safety processes, we created Vanir. Vanir provides a scalable and sustainable solution for accelerated safety patch adoption and validation, ensuring that Android devices receive timely protection against emerging threats.
Supply-code-based static evaluation
Utilizing a novel approach to Android safety patch validation, Vanir leverages source-code-based static analysis to rapidly scrutinize the target source code against predefined vulnerable code patterns. Unlike traditional systems reliant on metadata-based validation mechanisms, such as model numbers, repository history, and build configurations, Vanir does not rely on these potentially error-prone methods. This innovative approach enables Vanir to thoroughly investigate entire codebases, including their comprehensive historical context, individual files, and even isolated code fragments.
A key focus of Vanir is to revolutionize the process of identifying missing safety patches in the open-source software ecosystem, streamlining a previously laborious and costly endeavor through automation. As Vanir’s development accelerated, it became apparent that manually identifying a large number of missing patches was not only arduous but also left consumer devices unwittingly exposed to known vulnerabilities for an extended period? Using innovative automated signature refinement techniques and sample evaluation methodologies, Vanir leverages the findings of susceptible code clone detection algorithms as presented in references [1] and [2]. These algorithms exhibit low false-alarm rates and are capable of effectively handling large-scale code modifications that arise during patching processes. The data reveals that, following a two-year period of operating Vanir, an impressively low percentage of just 2.72% of verified signatures resulted in false alarms. This enables Vanir to efficiently identify missing patches, including those introduced by code changes, while reducing unnecessary alerts and manual review efforts.
With its source-code-based approach, Vanir enables rapid scalability across diverse ecosystems. It can generate signatures for any supply records written in supported languages. Vanir’s proprietary generator robotically creates, validates, and optimizes unique digital signatures for newly discovered vulnerabilities across diverse ecosystems, streamlining the process by allowing users to simply upload security patch files.
Android’s successful implementation of Vanir showcases its superiority over traditional patch verification methods. Within a remarkably short span of just five days, a lone engineer leveraged the powerful Vanir tool to rapidly generate signatures for an astonishing 150+ vulnerabilities, as well as confirm the absence of crucial safety patches across multiple downstream branches.
Vanir for Android
Currently, Vanir supports a range of C/C++ and Java-based targets, boasting an impressive 95% coverage of Android kernel and userspace Common Vulnerabilities and Exposures (CVEs) through publicly available safety patches. The Google Android Security team consistently integrates the latest CVEs into Vanir’s defense mechanism, thereby providing a comprehensive overview of the Android ecosystem’s patch adoption risk profile.
The Vanir signatures for Android vulnerabilities are retrieved from the database. This enables Vanir customers to safeguard their codebases effortlessly against the latest Android vulnerabilities without requiring any additional updates. Currently, scanning an entire Android supply tree can consume up to 10-20 minutes on modern PCs.
Versatile integration, adoption and growth.
Developed to serve multiple purposes, Vanir emerges as both a self-contained application and a Python library in its own right. Companies requiring seamless integration of automated patch verification processes with their existing build or deployment pipeline can achieve this by connecting their build integration software with the Vanir scanner libraries, enabling streamlined and efficient quality control. With its seamless integration into Google’s robust testing pipeline, Vanir ensures the timely adoption of critical security patches across the dynamic Android codebase, as well as its first-party downstream branches.
The Vanir framework can be fully licensed under the permissive BSD-3 Open Source License, allowing for total openness. As Vanir is not inherently limited to the Android ecosystem, there’s a strong likelihood you’ll successfully deploy Vanir on any platform, requiring only minor adjustments within the codebase. Additionally, since Vanir’s fundamental algorithm isn’t limited solely to verifying safety patches, it’s highly probable that you can adapt the system and utilize it for other purposes such as detecting licensed code or identifying code clones. The Android Safety team warmly invites your submissions to enhance the capabilities and reach of Vanir on any path that expands its utility and breadth. You may also contribute to Vanir by sharing vulnerability information, along with Vanir-signatured reports, to the Open Source Vulnerability Database (OSV).
For several months now, our team has collaborated with leading Android manufacturers to rigorously test and validate the performance of our software solution. We’ve successfully integrated the software into our build process, thoroughly testing against more than 1,300 vulnerabilities through repeated iterations. Currently, Vanir addresses approximately 95% of publicly disclosed Android, Put on, and Pixel vulnerabilities by applying publicly available fixes to both the Android kernel and userspace components. The AI-powered tool boasts an impressive 97% accuracy rate, having already yielded significant productivity gains for our internal teams by streamlining patch repairs and freeing up over 500 hours of manpower.
We are delighted to announce that Vanir is now available for public use. Vanir is not limited to Android and is also actively exploring opportunities for resolving various technical issues, including the management of standard C/C++ dependencies via. If you’re eager to utilize or contribute to Vanir, visit. We welcome your participation in providing feedback and ideas on our software through this online forum.
Let’s collaborate on developing Vanir.
[1] J. Jang, A. Agrawal and D. Brumley et al., “ReDeBug: Detecting and Exploiting Unpatched Code Clones in Whole Operating System Distributions,” 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2012, pp. 48-62, doi: 10.1109/SP.2012.13.
[2] S. Kim, S. Woo, H. Lee and H.
“VUDDY: A Scalable Method for Susceptible Code Clone Discovery,” 2017 IEEE Symposium on Safety and Privacy, San Jose, California, USA, 2017, pp. 595-614, doi: 10.1109/SP.2017.62.
