Google shoehorned Rust into Pixel 10 modem to make legacy code safer

Rust doesn’t have a slow garbage collector. Instead, it uses a mechanism called a borrow checker that ensures memory safety at compile time. This strict set of rules ensures that you cannot “forget” to free memory: the code will simply not compile if the memory rules are not respected. This is what makes Rust a memory-safe language.

However, even Google can’t wave its proverbial hand and change the way modem firmware is written: we’re talking tens of megabytes of executable machine code, which is a lot. Not only would updating decades of work be a Herculean task, but many of the companies involved also consider the inner workings of modems to be trade secrets.

To protect the Pixel modem from zero-day attacks, Google focused on the DNS analyzer. As cellular functionality has migrated to data networks, DNS has become an essential part of how phones work. Google explains that DNS requires parsing untrusted data, making it a major security issue, but one that you can solve with Rust.

Google chose the proto-hickory Rust open source DNS library, which is not particularly optimized but is widely adopted and supported. The Pixel phones’ modem is not a memory-constrained environment, which allowed the team to add a Rust component to make DNS in existing code more secure. The team removed dependencies from the standard library, allowing it to compile to machine code for faster operation, which was then grafted onto existing C/C++ modem code. In total, the Rust components added 371 KB, which is usable in the Pixel modem.

In this system, any attempt to trigger a vulnerability by manipulating memory hits the Rust wall: it cannot be affected by malicious DNS packets. The Pixel 10 phones are the first to ship with this more secure modem implementation. Google hopes this work will enable other platforms to make similar improvements, but the company notes that the size of the Rust library it chose could pose a problem for simpler embedded systems. It may be possible to resolve this issue by making the library more modular in the future. Google also sees this work as a basis for eventually integrating more memory-secure components into the cellular baseband.