Google is integrating Rust into Pixel modems to eliminate memory-safety vulnerabilities, starting with a DNS parser. This marks a significant shift toward memory-safe languages in low-level firmware, reducing attack surfaces and laying the groundwork for broader adoption in future devices.
Google is taking a significant step toward enhancing the security of its Pixel devices by integrating the Rust programming language into the cellular baseband modem firmware. This move, detailed in a recent Google Online Security Blog post, represents a proactive approach to mitigating memory-safety vulnerabilities in one of the most critical and complex components of modern smartphones.
The Security Imperative
The cellular modem has become an increasingly attractive target for attackers and security researchers alike. Google's Project Zero, for instance, demonstrated remote code execution on Pixel modems over the Internet, highlighting the severity of potential vulnerabilities. With tens of megabytes of executable code in the modem firmware, the attack surface is vast, and memory-safety issues in the predominantly C/C++ codebase pose a significant risk.
Why DNS? A Strategic Starting Point
Google's decision to begin with a DNS (Domain Name System) parser is both strategic and practical. DNS is a fundamental protocol used not only for browser-based website lookups but also for critical cellular operations like call forwarding. Its complexity and reliance on parsing untrusted data make it a prime candidate for vulnerabilities, especially when implemented in memory-unsafe languages. By rewriting the DNS parser in Rust, Google aims to eliminate an entire class of memory-safety vulnerabilities in a high-risk area.
Choosing the Right Tool: Hickory-proto
Google evaluated several open-source Rust crates for DNS implementation and ultimately selected hickory-proto for its excellent maintenance, over 75% test coverage, and widespread adoption in the Rust community. However, hickory-proto initially lacked no_std support, which is essential for bare-metal environments like the modem. Google contributed patches to add this support, benefiting not only their project but also the broader Rust ecosystem.
Overcoming Technical Challenges
The integration of Rust into the modem firmware involved several technical hurdles:
Code Size Considerations
While hickory-proto is not optimized for embedded use, Google prioritized community support and code quality over size optimizations. The additional code size (approximately 371KB) was deemed acceptable for the Pixel modem, though it could be a blocker for more memory-constrained systems. Future work could involve adding feature flags to conditionally compile only the required functionality.
Build System Integration
Google opted to integrate Rust compilation directly into the existing modem build system, which uses Pigweed and GN. This approach scales better than building Rust as a static library and allows tighter integration. The team compiled all Rust crates, including hickory-proto and its dependencies, to rlib and created a staticlib target with a single lib.rs file referencing all the rlib crates.
Memory Allocation and Panic Handling
Pixel modem firmware already has a specialized global memory allocation system, which was leveraged by implementing the GlobalAlloc trait with FFI calls to the existing C APIs. Similarly, the modem's crash handling backend was exposed to Rust through FFI, ensuring unified crash handling for both Rust and C/C++ code.
Linking and Performance
A performance issue arose due to weak symbols during linking, where modem-optimized implementations of memset and memcpy were accidentally replaced by those from the compiler-builtins crate. This was resolved by stripping the compiler-builtins crate before linking.
Exposing Rust APIs and FFI
The DNS parser's API was declared in C and implemented in Rust, with callbacks back to C++ for handling DNS responses. While the API itself was simple enough to hand-write, the complex data type conversions for callbacks were handled using bindgen to generate FFI code.
Scaling with Cargo-gnaw
With hickory-proto introducing over 30 dependent crates, manually written build rules were impractical. Google leveraged cargo-gnaw, a tool developed by Fuchsia, to generate GN build rules by invoking cargo metadata to resolve dependencies. This ensured correctness and ease of maintenance.
A Foundation for the Future
The integration of Rust into the Pixel 10 modem marks a pivotal moment in smartphone security. While replacing one piece of risky attack surface is valuable in itself, this project lays the groundwork for broader adoption of memory-safe parsers and code in the cellular baseband. As development continues, the baseband's security posture will continue to improve, setting a new standard for secure firmware development.
Conclusion
Google's initiative to bring Rust to the Pixel modem is a bold and necessary step in the ongoing battle against memory-safety vulnerabilities. By starting with the DNS parser and overcoming significant technical challenges, Google has demonstrated the feasibility and benefits of integrating memory-safe languages into low-level firmware. This effort not only enhances the security of Pixel devices but also paves the way for a safer, more secure future for all embedded systems.
Special thanks to the team behind this project, including Armando Montanez, Bjorn Mellem, Boky Chen, Cheng-Yu Tsai, Dominik Maier, Erik Gilling, Ever Rosales, Hungyen Weng, Ivan Lozano, James Farrell, Jeffrey Vander Stoep, Jiacheng Lu, Jingjing Bu, Min Xu, Murphy Stein, Ray Weng, Shawn Yang, Sherk Chung, Stephan Chen, and Stephen Hines.
For more details, you can read the original blog post on the Google Online Security Blog.
Comments
Please log in or register to join the discussion