web analytics

Google Launches Open Source Patch Validation Tool – Source: www.darkreading.com

Rate this post

Source: www.darkreading.com – Author: Jennifer Lawinski

a patchwork quilt

Source: Art of Food via Alamy Stock Photo

NEWS BRIEF

Security updates in the Android ecosystem is a complex, multistage affair, with each downstream manufacturer responsible for incorporating security fixes and deploying them to individual user devices. Manufacturers have diverse device portfolios with different models running different versions of the Android operating system and related software, which means they are responsible for multiple update versions. As it currently stands, updating Android devices is both time-consuming and labor-intensive.

Vanir, Google’s latest open source security patch validation tool, speeds up the process of figuring out which security patches are missing from the platform by scanning custom platform code using static code analysis. By automating this process, OEMs can identify missing security updates much faster than current methods, according to an announcement on the Google Security Blog.

Vanir, which has a 97% accuracy rate, covers 95% of all Android, Wear, and Pixel vulnerabilities that already have public fixes, the company said. Inside Google, Vanir is part of the build system and tests against over 1,300 vulnerabilities, saving internal teams “over 500 hours to date in patch fix time,” according to Google.

The tool does not rely on metadata, such as version numbers, repository history, or build configurations, to identify which updates are missing. Instead, Vanir uses automatic signature refinement techniques and multiple pattern analysis algorithms. Google said these algorithms have low false-alarm rates, noting that in two years of testing Vanir, only 2.72% of signatures triggered false alarms.

“This allows Vanir to efficiently find missing patches, even with code changes, while minimizing unnecessary alerts and manual review efforts,” the company said.

A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across downstream branches in just five days, Google noted.

While Vanir was originally introduced at Android Bootcamp back in April and is designed for Android, the tool can be adapted to other ecosystems and platforms with small modifications. Vanir can be used as a standalone application as well as a Python library. Users can integrate Vanir with their continuous builds or test chains by wiring the tool with Vanir scanner libraries.

About the Author

Jennifer Lawinski

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master’s degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Original Post URL: https://www.darkreading.com/vulnerabilities-threats/google-open-source-patch-validation-tool

Category & Tags: –

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post