Google makes it harder to exploit Pixel 10 modem firmware

Google is working to improve the security of Pixel phones by focusing on the cellular baseband modem, a part of the device that handles communication with mobile networks and processes external data.

In the Pixel 9, the company introduced measures to reduce memory-related vulnerabilities. With the Pixel 10, the approach goes further by integrating a DNS parser written in the Rust programming language into the modem firmware.

The DNS protocol is known for helping browsers locate websites, and it also plays a role in cellular networks, where functions such as call forwarding depend on DNS services. DNS processes complex data from external sources and must handle untrusted input, which can introduce vulnerabilities when implemented in memory-unsafe languages.

“Pixel modem has tens of Megabytes of executable code. Given the complexity and remote attack surface of the modem, other critical memory safety vulnerabilities may remain in the predominantly memory-unsafe firmware code,” Jiacheng Lu, Software Engineer, Google Pixel Team wrote.

“The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying the foundation for broader adoption of memory-safe code in other areas,” Lu added.

Rust integration and firmware challenges

Google chose an open source DNS library called hickory-proto and adapted it for use in modem firmware. The modem environment requires Rust code to run without the standard library, using a setup known as no_std.

The added code increases the firmware size by about 371 KB, including the DNS library, its dependencies, and required Rust components. This was considered acceptable for Pixel devices.

“We built prototypes and measured size with size-optimized settings. Expectedly, hickory_proto is not designed with embedded use in mind, and is not optimized for size. As the Pixel modem is not tightly memory constrained, we prioritized community support and code quality, leaving code size optimizations as future work,” Lu explained.

“However, the additional code size may be a blocker for other embedded systems. This could be addressed in the future by adding additional feature flags to conditionally compile only required functionality. Implementing this modularity would be a valuable future work.”

To integrate the parser, the Rust code was connected to the existing C and C++ firmware through interfaces that allow them to exchange data. When the modem receives DNS data, it is passed to the Rust parser, which processes it and then calls back into existing C functions to store or use the results.

This also required changes to the build process. The Rust code was compiled in a way that fits into the existing firmware system and linked with the modem’s memory allocation and crash handling components.

During testing, a performance issue appeared when some optimized functions were replaced during linking. This caused power and performance problems, which were later fixed by adjusting how the code is linked.