An Open-Source Patch Validation Tool is Launched by Google
In the Android ecosystem, security updates are a complicated, multi-phase process. Each downstream manufacturer is in charge of implementing security fixes and distributing them to specific consumer devices. Multiple update versions are the responsibility of manufacturers due to their varied device portfolios, which include many models running various versions of the Android operating system and associated applications. Updates for Android devices are currently labor-intensive and time-consuming.
In the Android ecosystem, security updates are a complicated, multi-phase process. Each downstream manufacturer is in charge of implementing security fixes and distributing them to specific consumer devices. Multiple update versions are the responsibility of manufacturers due to their varied device portfolios, which include many models running various versions of the Android operating system and associated applications. Updates for Android devices are currently labor-intensive and time-consuming.
By employing static code analysis to scan custom platform code, Vanir, Google's newest open-source security patch validation tool, expedites the process of identifying security updates that are missing from the platform. An item on the Google Security Blog states that OEMs may detect missing security upgrades significantly more quickly by automating this process than they can with existing techniques.
Vanir has a 97% accuracy rate and covers 95% of all Android, Wear, and Pixel vulnerabilities that have already been fixed publicly, according to the startup. A component of Google's build system, Vanir checks for more than 1,300 vulnerabilities and has reportedly saved internal teams "over 500 hours to date in patch fix time," according to Google.
To determine whether updates are missing, the tool does not rely on metadata (such as build setups, repository histories, or version numbers). Vanir uses a variety of pattern analysis tools and automatic signature refinement approaches instead. According to Google, these algorithms have low false-alarm rates; during the two years that Vanir was tested, only 2.72% of signatures resulted in false alerts. This makes it possible for Vanir to quickly identify missing patches despite code modifications, while minimizing unnecessary alerts and manual review efforts," the company said.
According to Google, one developer only needed five days to utilize Vanir to create signatures for more than 150 vulnerabilities and confirm that downstream branches had the necessary security patches. Although Vanir was first unveiled at Android Bootcamp in April, it is primarily an Android tool, though it can be easily modified to work with other ecosystems and platforms. Vanir is both a Python library and a stand-alone application. Users can wire the tool with Vanir scanner libraries to integrate Vanir with their continuous build or test chain.