Presenting the release of Vanir, a fresh open-source security patch validation tool. Unveiled during Android Bootcamp in April, Vanir empowers Android platform developers to swiftly and effectively examine their customized platform code for any absent security patches and pinpoint relevant available patches. Vanir significantly boosts patch validation by automating this process, enabling OEMs to guarantee that their devices are shielded with crucial security updates quicker than conventional methods. This enhances the security of the Android ecosystem, playing a vital role in ensuring the safety of Android users worldwide.

By open-sourcing Vanir, our aim is to enable the wider security community to participate in and derive benefits from this tool. This initiative fosters broader adoption and ultimately enhances security measures across different ecosystems. While originally tailored for Android, Vanir can be easily adjusted for other ecosystems with minor modifications, making it a versatile tool for enhancing software security universally. Through collaboration with the Google Open Source Security Team, we have integrated feedback from our initial users to augment Vanir and make it more conducive for security professionals. Now, this tool is accessible for you to embark on development and integration into your systems.

The Essential Requirement for Vanir

The Android ecosystem depends on a multifaceted process for addressing vulnerabilities. When a new vulnerability comes to light, upstream AOSP developers create and release upstream patches. Subsequently, downstream device and chip manufacturers evaluate the impact on their specific devices and implement the necessary fixes through backporting. While this process is effective, it can pose challenges in scalability, especially for manufacturers juggling a diverse array of devices and older models with intricate update histories. Maintaining patch coverage across various customized devices often entails a significant effort due to the manual nature of backporting.

In order to streamline this vital security workflow, we introduced Vanir. Vanir establishes a scalable and sustainable solution for adopting and validating security patches, thereby ensuring that Android devices promptly receive protection against potential threats.

The Proficiency of Vanir

Codebase-Centric Static Analysis

Vanir employs a pioneering approach to Android security patch validation, utilizing source-code-based static analysis to directly contrast the target source code with identified vulnerable code patterns. Unlike conventional metadata-based verification mechanisms relying on version numbers, repository history, and build configurations, Vanir operates independently of these and is less susceptible to errors. This distinctive approach grants Vanir the ability to scrutinize entire codebases with complete history, individual files, or even partial code snippets.

A core objective of Vanir is to automate the laborious and expensive task of pinpointing missing security patches within the open-source software ecosystem. During the early stages of Vanir’s development, it was evident that manually identifying a large number of missing patches demands manpower and can inadvertently expose user devices to known vulnerabilities. To counter this, Vanir employs innovative automatic signature refinement techniques and multiple pattern analysis algorithms, inspired by the vulnerable code clone detection algorithms presented by Jang et al. [1] and Kim et al. [2]. These algorithms exhibit low false alarm rates and effectively handle a wide range of code alterations that may surface during code patch procedures. In fact, from our 2-year experience with Vanir, only 2.72% of signatures triggered false alarms. This empowers Vanir to efficiently uncover missing patches, even amidst code changes, while reducing unnecessary alerts and manual review efforts.

Vanir’s source-code-based method also facilitates rapid scalability across any ecosystem. It can produce signatures for any source files written in supported languages. Vanir’s signature generator automatically crafts, tests, and hones these signatures, enabling users to promptly develop signatures for new vulnerabilities in any ecosystem by merely providing source files with security patches.

Android’s successful utilization of Vanir underscores its effectiveness compared to conventional patch verification methods. With Vanir, a single engineer was able to generate signatures for over 150 vulnerabilities and validate missing security patches across their downstream branches within just five days.

Vanir for Android

Currently, Vanir supports C/C++ and Java targets, encompassing 95% of Android kernel and userspace CVEs with publicly available security patches. The Google Android Security team regularly integrates the latest CVEs into Vanir’s coverage to present a comprehensive overview of the Android ecosystem’s patch adoption risk profile.

Vanir’s signatures for Android vulnerabilities are accessible through the Open Source Vulnerabilities (OSV) database. This setup allows Vanir users to effortlessly safeguard their codebases against the latest Android vulnerabilities without necessitating additional updates. Presently, over 2,000 Android vulnerabilities are cataloged in OSV, with a complete scan of an entire Android source tree typically taking 10-20 minutes on a modern PC.

Adaptable Integration, Adoption, and Extension.

Vanir is developed not just as a standalone application but also as a Python library. Users seeking to integrate automated patch verification processes with their continuous build or test chain can effortlessly achieve this by connecting their build integration tool with Vanir’s scanner libraries. For instance, Vanir is seamlessly integrated into a continuous testing pipeline at Google, ensuring the adoption of all security patches in the constantly evolving Android codebase and their primary downstream branches.

Vanir is completely open-source and licensed under BSD-3. As Vanir is not inherently confined to the Android ecosystem, you can easily implement Vanir for any ecosystem you wish to safeguard by making minor adjustments to Vanir. Furthermore, since Vanir’s underlying algorithm is not limited to security patch validation, you can modify the source code and utilize it for various purposes such as detecting licensed code or code clones. The Android Security team is receptive to your contributions to Vanir, in any direction that enhances its capabilities and scope. You can also contribute to Vanir by furnishing vulnerability data with Vanir signatures to OSV.

Vanir Achievements

Over the past year, we have collaborated with several Android OEMs to evaluate the effectiveness of the tool. Internally, we have seamlessly integrated the tool into our build system, conducting continuous testing against over 1,300 vulnerabilities. Currently, Vanir covers 95% of all Android, Wear, and Pixel vulnerabilities with publicly available fixes across Android Kernel and Userspace. It boasts a 97% accuracy rate, saving our internal teams over 500 hours to date in patch rectification time.

Future Endeavors

We are excited to announce that Vanir is now open to the public. Vanir is not restricted to Android alone, and we are actively exploring ways in which Vanir can address other issues, such as general C/C++ dependency management through integration with OSV-scanner. If you are interested in utilizing or contributing to Vanir, please visit github.com/google/vanir. Feel free to join our public community to share your feedback and queries regarding the tool. 

We are eager to collaborate with you on Vanir!

References

[1] J. Jang, A. Agrawal and D. Brumley, “ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions,” 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 2012, pp. 48-62, doi: 10.1109/SP.2012.13.

[2] S. Kim, S. Woo, H. Lee and H. Oh, “VUDDY: A Scalable Approach for Vulnerable Code Clone Discovery,” 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 2017, pp. 595-614, doi: 10.1109/SP.2017.62.