Vanir - Static Analysis for Detecting Missing Security Patches

Vanir - Static Analysis for Detecting Missing Security Patches

Vanir is a source code-based static analysis tool designed to automatically identify missing security patches in target systems.

It operates with a low false-positive rate, leveraging up-to-date CVE data from Open Source Vulnerabilities (OSV) and supports C/C++ and Java source code. Below is a detailed guide on how to use Vanir effectively.

Key Features of Vanir

  1. Code Variance Tolerance: Detects missing patches even in customized codebases, making it ideal for Android device vendors and custom kernel maintainers.

  2. Metadata-Agnostic Detection: Analyzes source code directly without relying on metadata like version numbers or commit histories.

  3. Automated Signature Generation: Streamlines the creation of vulnerability signatures for efficient patch adoption.

  4. Runtime Efficiency: Faster than binary-based or dynamic analysis tools due to its static source-code analysis approach.

  5. Transparency and Open Source: Fully open-source, allowing users to independently investigate vulnerabilities.

  6. Continuously Updated Data: Maintains up-to-date Android security data from OSV, with potential for broader ecosystem support.

  7. CI/CD Integration: Offers a Python library for seamless integration into automated pipelines.

Prerequisites

Vanir is currently supported on Linux systems. Ensure the following tools are installed:

  • Bazel (>= 6.0): Used for building Vanir.

  • Git: Required for downloading dependencies.

sudo apt install git

  • Java Runtime Environment (JRE >= 11): Needed for Antlr4 parsers.

sudo apt install openjdk-11-jre

  • Python 3.9 and C++17 Toolchain: Required for running and building Vanir.

Installation and Setup

1.Clone the Vanir repository:

git clone https://github.com/google/vanir.git ~/vanir

cd ~/vanir

2.Build the Vanir Detector Runner:

bazel build //:detector_runner --build_python_zip -c opt

If successful, a standalone binary detector_runner will be created in ./bazel-bin/.

3.Run tests to verify installation:

bazel test --test_output=all //...

Using Vanir Detector

Scanning a Target System

To scan an Android repository located at ~/my/android/repo:

./bazel-bin/detector_runner repo_scanner Android ~/my/android/repo

Output Reports

Vanir generates reports in JSON and HTML formats at /tmp/vanir/. For example:

  • /tmp/vanir/report-YYYYMMDDhhmmss.json

  • /tmp/vanir/report-YYYYMMDDhhmmss.html

You can customize the output directory using the --report_file_name flag:

./bazel-bin/detector_runner --report_file_name=/path/to/output/report_prefix

Advanced Configurations

Custom Signatures

Vanir supports custom vulnerability signatures in JSON format:

./bazel-bin/detector_runner \

  --vulnerability_file_name ~/Downloads/custom_signature.json

Target Selection Strategies

Vanir offers three strategies for optimizing runtime:

  1. ALL_FILES: Scans all files (thorough but slow).

  2. EXACT_PATH_MATCH: Scans files matching exact paths (fast but limited).

  3. TRUNCATED_PATH_MATCH (default): Balances thoroughness and speed by scanning files with partial path matches.

Filtering Results

Use flags to refine scanning results:

  • Exclude specific CVEs:

--cve_id_ignore_list=CVE-1234-12345,CVE-4567-45678

  • Limit scanning to specific file paths:

--sign_target_path_filter=drivers/nvme

Examples of Scanning

1.Scan an Android kernel directory:

./bazel-bin/detector_runner android_kernel_scanner /path/to/kernel/code

2.Scan a specific Android package:

./bazel-bin/detector_runner package_scanner Android platform/frameworks/base /path/to/codebase

3.Perform a comprehensive scan of all files in a directory:

./bazel-bin/detector_runner \

  --target_selection_strategy=all_files \

  offline_directory_scanner /path/to/codebase

Interpreting Results

Vanir provides detailed reports identifying unpatched vulnerabilities:

Example JSON Report Structure:

{

    "options": "--target_root=/path/to/code",

    "covered_cves": ["CVE-2020-12345", "CVE-2021-67890"],

    "missing_patches": [

        {

            "ID": "ASB-A-123456789",

            "CVE": ["CVE-2020-12345"],

            "OSV": "https://osv.dev/vulnerability/ASB-A-123456789",

            "details": [

                {

                    "unpatched_code": "src/file.c::function_name",

                    "patch": "https://example.com/patch",

                    "matched_signature": "ASB-A-123456789-signature"

                }

            ]

        }

    ]

}

Example HTML Report:

The HTML report provides a user-friendly view of the same data, highlighting affected files, missing patches, and links to fixes.

Tips for Efficient Usage

  1. Use the --verbosity flag to control logging levels during scans (e.g., --verbosity=-1 for warnings only).

  2. Integrate Vanir into CI/CD pipelines using its Python library for automated patch verification.

  3. Regularly update vulnerability signatures from OSV or other sources.

Vanir is a powerful tool for maintaining secure codebases by identifying missing patches efficiently and accurately, making it indispensable for developers managing large-scale or customized systems like Android platforms. You can learn more and Download Vanir in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog