Google Pixel 10 Strengthens Modem Security with Memory-Safe Rust DNS

Google is continuously advancing the security architecture of its Android ecosystem, with a significant leap forward arriving in the upcoming Pixel 10 series.

Building on the foundational mitigations introduced in the Pixel 9, the tech giant is aggressively targeting vulnerabilities within the complex cellular baseband modem.

Recognizing the severe risks associated with memory-unsafe firmware code, Google has officially integrated a memory-safe Rust-based Domain Name System (DNS) parser into the Pixel 10 modem firmware.

This proactive defensive measure mitigates an entire class of vulnerabilities in a highly targeted area. It establishes a robust framework for broader adoption of memory-safe code in low-level embedded environments.

Modern Memory Safety

In recent years, cellular modems have become a prime target for sophisticated attackers and security researchers. The attack surface is vast, with modern modems running tens of megabytes of executable code. Google’s Project Zero previously demonstrated the severity of these risks by achieving remote code execution (RCE) on Pixel modems directly over the internet.

Given the baseband’s intricate complexity and remote accessibility, relying predominantly on memory-unsafe languages like C and C++ for firmware development leaves critical vulnerabilities exposed.

While the Pixel 9 introduced vital security hardening mitigations, such as Bounds Sanitizers to prevent buffer overflows and Integer Overflow Sanitizers, these were primarily reactive safeguards designed to block specific exploit techniques.

Transitioning to a memory-safe language like Rust represents a fundamental shift from merely mitigating exploitation to outright eliminating the underlying memory-safety flaws at the source.

Critical Role of DNS in Modern Cellular Networks

While the Domain Name System (DNS) is traditionally associated with browser-based web navigation, its role in cellular communications has evolved dramatically. Modern cellular infrastructures have migrated entirely to digital data networks, meaning that even fundamental baseband operations, such as voice call forwarding, are heavily reliant on DNS services.

Because the DNS protocol is inherently complex and requires parsing untrusted data from external sources, it is highly susceptible to exploitation.

Vulnerabilities such as CVE-2024-27227 highlight the severe dangers of implementing complex network parsers in memory-unsafe languages. By rewriting the DNS parser in Rust, Google significantly decreases the attack surface, ensuring that maliciously crafted DNS responses cannot trigger memory corruption vulnerabilities within the baseband.

To implement this memory-safe architecture, Google engineers evaluated multiple open-source Rust crates. The team selected hickory-proto as the ideal candidate due to its active maintenance, extensive test coverage exceeding 75%, and widespread adoption across the Rust community.

However, integrating a standard Rust library into a bare-metal embedded environment presented immediate technical hurdles.

Standard Rust libraries rely on the std library, which requires an underlying operating system to function. The cellular baseband operates in a highly constrained, bare-metal environment, necessitating strict no_std support.

Google developers mechanically modified hickory-proto and its foundational dependencies to support no_std environments, subsequently contributing these pull requests back to the open-source community.

This rigorous effort not only secured the Pixel modem but also yielded a no_std URL parser is beneficial for other embedded security projects.

When selecting third-party libraries for embedded systems, compiled code size is a critical evaluation factor. Benchmarking the Rust implementation revealed a noticeable increase in footprint compared to legacy C implementations.

Key metrics from the deployment study include:

A Rust-implemented shim for receiving and routing DNS responses consumes approximately 4KB.
Reusable core libraries (core, alloc, compiler_builtins) require an initial, one-time integration cost of 17KB.
The comprehensive hickory-proto library and its dependencies account for roughly 350KB.

While the total size of 371KB might be prohibitive for severely constrained Internet of Things (IoT) devices, the Pixel 10 modem possesses sufficient memory overhead to accommodate this integration.

Google prioritized robust community support and code reliability over aggressive size optimization, noting that modular feature flags could further reduce the footprint for future embedded deployments.

Compiling and Integrating Rust

Bridging the gap between the modern Rust components and the legacy C/C++ baseband firmware required highly innovative build engineering. Instead of using standard cargo workflows that fail to scale without causing duplicated symbol errors during the linking phase. Google integrated rustc directly into the existing modem build system powered by Pigweed.

The integration architecture required several highly technical adaptations:

Compiling all necessary Rust crates into .rlib files using robust Foreign Function Interface (FFI) bindings.
Creating a comprehensive staticlib target referencing all related crates via extern keywords.
Implementing a specialized GlobalAlloc interface with FFI calls to seamlessly map Rust dynamic memory allocations directly to the modem’s existing C-based allocation system.
Unifying threat telemetry and crash handling by exposing the Pigweed crash facade into Rust panic_handler.

The final firmware linking phase involved extracting object files from the combined Rust staticlib using llvm-ar and supplying them directly to the C/C++ linker. During this critical phase, engineers encountered unexpected power consumption and performance regressions across testing suites.

Diagnostic analysis quickly revealed that weak symbols within the Rust compiler_builtins crates were accidentally overwriting highly optimized, hardware-specific memset and memcpy functions natively provided by the modem firmware.

Because both the firmware and the Rust compiler built-ins defined these critical symbols as weak, the linker could not distinguish the preferred implementation. The engineering team efficiently mitigated this conflict by aggressively stripping the compiler_builtins crate from the static library before the final linking execution.

The upcoming launch of the Pixel 10 series marks a true watershed moment in mobile device security architecture. By becoming the first smartphone to successfully execute memory-safe language components directly within its cellular baseband modem, Google has established an entirely new industry standard.

While replacing a single DNS parser addresses only one attack vector, as reported by Google, the architectural groundwork laid by this initiative ensures that the Android baseband security posture will continuously harden against sophisticated remote exploitation for years to come.

Frequently Asked Questions

What makes the Pixel 10 modem more secure than previous generations?
The Pixel 10 modem integrates a memory-safe Rust DNS parser to eliminate entire classes of memory corruption vulnerabilities previously found in older firmware architectures.

Why did Google specifically target the DNS parser for this security upgrade?
DNS protocols are highly complex, handle untrusted external data, and are critical for modern cellular operations, making them prime targets for remote threat actors.

How did developers successfully execute Rust in a bare-metal modem environment?
Engineers extensively modified the hickory-proto Rust library to operate without standard OS libraries by utilizing strict no_std environments and custom FFI global memory allocators.

Does integrating Rust code increase the overall footprint of the modem firmware?
Yes, integrating the Rust DNS library added approximately 371KB of code, but the Pixel 10 modem still has sufficient hardware memory to handle it without degrading performance.

Site: http://thecybrdef.com