Google has quietly taken an important step in hardening the Pixel 10 against modem-level attacks: the company has integrated a Rust-based DNS parser directly into the smartphone’s baseband firmware. This move reflects a long-term strategy to phase out traditional C/C++ in favor of memory-safe languages in the most critical and attack‑prone components of modern mobile devices.
Why smartphone baseband firmware is a prime target for attackers
The cellular modem (baseband) is one of the least visible yet most sensitive parts of any smartphone. It implements complex protocol stacks (2G/3G/4G/5G), maintains continuous connectivity to untrusted networks, and processes large volumes of external traffic in real time. At the same time, baseband firmware historically relies on C/C++ and often lags behind the main OS in terms of hardening and update practices.
As Android itself has become more resilient through features such as mandatory ASLR, sandboxing, and stricter app isolation, attackers have increasingly shifted attention toward the baseband layer. A remotely exploitable modem vulnerability can allow arbitrary code execution outside the Android security model, bypassing many OS‑level protections and exposing voice calls, SMS, and connection metadata.
Security research over the last decade has shown that baseband exploits can be triggered via crafted radio frames, SMS messages, or malformed control-plane traffic, often with no user interaction. In this context, shrinking the attack surface of modem firmware is a priority for both vendors and mobile operators.
Rust DNS parser in the Pixel 10 modem: a high-value security upgrade
For the first Rust component in the Pixel modem, Google’s engineers targeted the DNS parser. This choice is strategic: DNS traffic is processed during nearly every network interaction, including connectivity setup, call forwarding features, and various operator services. Any flaw in DNS parsing logic can be exercised frequently and remotely.
The DNS protocol itself is non-trivial. It uses nested structures, name compression, variable-length fields, and complex resource record formats. Historically, DNS parsers implemented in C/C++ have been a recurring source of memory corruption issues, including out-of-bounds reads and writes, buffer overflows, and use-after-free bugs. Vulnerabilities like CVE-2024-27227, tied to improper handling of DNS data, illustrate how small parsing mistakes can escalate into critical remote code execution flaws.
By rewriting the DNS parser in Rust, Google aims to eliminate entire classes of such bugs at the language level. Rust’s ownership model, compile‑time borrow checker, and strict bounds checking make it much harder to introduce typical C/C++ memory errors. According to Pixel engineer Jiacheng Lu, the Rust DNS parser significantly reduces the attack surface in a historically problematic area and lays the groundwork for migrating more modem components to memory-safe code.
Implementing Rust in baseband firmware: hickory-proto, embedded constraints, and cargo-gnaw
Adapting Rust DNS libraries to bare metal and embedded environments
To implement the modem DNS parser, Google chose the well-known Rust crate hickory-proto, originally designed for DNS clients, servers, and resolvers in more conventional environments. However, baseband firmware operates in a highly constrained, bare metal / embedded context: no general-purpose OS, limited memory, tight timing requirements, and strict binary size limits.
Engineers had to carefully adapt hickory-proto to this environment, reducing its reliance on the Rust standard library and optimizing memory usage while preserving robustness. The challenge is compounded by the Rust ecosystem’s dependency graph: a single crate can pull in dozens of others. In this case, hickory-proto brought along more than 30 dependencies, each requiring review, trimming, and potential modification to comply with modem firmware constraints.
cargo-gnaw: managing Rust dependencies in modem firmware
To make Rust realistically deployable in baseband firmware, Google developed a dedicated tool called cargo-gnaw. This tool streamlines management of Rust dependencies in constrained builds: it allows engineers to selectively include only the necessary parts of libraries, strip optional features, and keep tight control over the final binary size and composition.
This approach turns Rust use in baseband firmware from a theoretical security improvement into a practical engineering solution, enabling incremental migration while preserving performance and real-time behavior requirements.
Google’s broader strategy: memory-safe languages for Android and baseband security
The Rust DNS parser in the Pixel 10 modem is part of a broader program to strengthen Android and baseband security through memory-safe programming. Google has previously used Clang sanitizers (IntSan, BoundSan) to detect undefined behavior in modem code and has introduced mitigations against 2G‑based attacks and classic buffer overflow exploits in baseband stacks.
On the Android side, Google has been steadily increasing the share of system code written in Rust and other memory-safe languages. Public Android security reports indicate that the proportion of vulnerabilities caused by memory safety issues has dropped sharply over the last several years, falling to below 20% of all reported bugs in newer Android versions. This demonstrates that language-level protection can have a measurable impact in real-world attack scenarios.
Extending this philosophy to modem firmware addresses what has traditionally been a “blind spot” for many users and even for some security professionals. As more baseband components are ported to Rust or other memory-safe technologies, the expectation is a reduction in critical modem vulnerabilities and a higher bar for attackers seeking to compromise mobile networks at the radio layer.
For vendors and developers, Google’s move is a clear signal that the industry is shifting away from pure C/C++ in security-critical, low-level code wherever feasible. Planning gradual migrations to memory-safe languages—especially for complex parsers and protocol implementations—should now be considered a core security engineering practice. For users and enterprise buyers, it becomes increasingly important to evaluate device security not only by Android version, but also by vendor update policies, baseband hardening measures, and adoption of modern, memory-safe programming languages in the firmware stack.
