Link | Archive
The Pixel 10 series ships with Google's safer modem code. Credit: Ryan Whitwam
By Ryan Whitwam
Modern smartphone operating systems have myriad systems in place to improve security, but none of that helps when attackers target the modem. Google’s Project Zero team has shown it’s possible to get remote code execution on Pixel phone modems over the Internet, which prompted Google to reevaluate how it secures this vital, low-level system. The solution wasn’t to rewrite modem software but rather to shoehorn a safer Rust-based component into the Pixel 10 modem.
Cellular modems are something of a black box. Your phone’s baseband is its own operating system running legacy C and C++ code, which makes it an increasingly appealing attack surface. The core issue is that memory management in these systems is difficult and often leads to memory-unsafe firmware code on production devices. That can allow attackers to leverage serious vulnerabilities like buffer overflows and memory leaks to compromise devices.
So that’s not great—why are we still using this stuff? Part of the issue is just the inertia of embedded systems. Companies have been developing modem firmware based on 3GPP specifications for decades, so there’s a lot of technical debt at this point. Modems also have to operate in real time to send and receive data effectively, and C/C++ code is fast.
Google’s demonstrative hack of the Pixel’s Exynos-based modem is not the only one by a long shot. Project Zero researchers have identified more than two dozen Exynos modem vulnerabilities in recent years, 18 of which were classified as “severe.” Naturally, the issues were patched after discovery, but the complexity of modem code virtually guarantees there are more vulnerabilities lurking inside, ready to be exploited by a bad actor.
Rust doesn’t have a slow garbage collector. Instead, it uses a mechanism called the borrow checker that ensures memory safety at compile time. This strict set of rules ensures that you can’t “forget” to free up memory—code simply won’t compile if the memory rules are breached. This is what makes Rust a memory-safe language.
However, not even Google can wave its proverbial hand and change how modem firmware is written—we’re talking about tens of megabytes of executable machine code, which is a lot. Not only would it be a herculean task to update decades of work, but many of the companies involved also consider the inner workings of modems to be trade secrets.
To protect the Pixel modem from zero-day attacks, Google focused on the DNS parser. As cellular features have migrated to data networks, DNS has become a core part of how phones work. Google explains that DNS requires parsing of untrusted data, and that makes it a major security concern, but it’s one you can solve with Rust.
Google chose the hickory-proto open source Rust DNS library, which is not particularly optimized but has broad adoption and support. The modem in Pixel phones is not a memory-constrained environment, which allowed the team to tack on a Rust component to make DNS in the existing code safer. The team stripped out the standard library dependencies, allowing it to compile to machine code for faster operation, which was then grafted onto the existing C/C++ modem code. In total, the Rust components added 371KB, which is workable in the Pixel modem.
Under this system, any attempt to trigger a vulnerability by manipulating memory runs into the Rust wall—it can’t be affected by malicious DNS packets. The Pixel 10 phones are the first to ship with this safer modem implementation. Google hopes this work will allow other platforms to make similar improvements, but the company notes the size of its chosen Rust library could be a problem for simpler embedded systems. It may be possible to address that by making the library more modular in the future. Google also sees this work as a foundation for integrating more memory-safe components into the cellular baseband in time.
The Pixel 10 series ships with Google's safer modem code. Credit: Ryan Whitwam
By Ryan Whitwam
Modern smartphone operating systems have myriad systems in place to improve security, but none of that helps when attackers target the modem. Google’s Project Zero team has shown it’s possible to get remote code execution on Pixel phone modems over the Internet, which prompted Google to reevaluate how it secures this vital, low-level system. The solution wasn’t to rewrite modem software but rather to shoehorn a safer Rust-based component into the Pixel 10 modem.
Cellular modems are something of a black box. Your phone’s baseband is its own operating system running legacy C and C++ code, which makes it an increasingly appealing attack surface. The core issue is that memory management in these systems is difficult and often leads to memory-unsafe firmware code on production devices. That can allow attackers to leverage serious vulnerabilities like buffer overflows and memory leaks to compromise devices.
So that’s not great—why are we still using this stuff? Part of the issue is just the inertia of embedded systems. Companies have been developing modem firmware based on 3GPP specifications for decades, so there’s a lot of technical debt at this point. Modems also have to operate in real time to send and receive data effectively, and C/C++ code is fast.
Google’s demonstrative hack of the Pixel’s Exynos-based modem is not the only one by a long shot. Project Zero researchers have identified more than two dozen Exynos modem vulnerabilities in recent years, 18 of which were classified as “severe.” Naturally, the issues were patched after discovery, but the complexity of modem code virtually guarantees there are more vulnerabilities lurking inside, ready to be exploited by a bad actor.
Getting Rusty
Making modems safer means addressing these memory loopholes, and Rust is a great candidate for that. Of course, Rust is not the first memory-safe language to exist. Python, C#, and others also have safer memory management systems, but they rely on garbage collection to do it. Garbage collection can scan active memory while programs run to find and free up unused memory. This is safer, but it’s also slow, and that’s a nonstarter for real-time modem firmware.Rust doesn’t have a slow garbage collector. Instead, it uses a mechanism called the borrow checker that ensures memory safety at compile time. This strict set of rules ensures that you can’t “forget” to free up memory—code simply won’t compile if the memory rules are breached. This is what makes Rust a memory-safe language.
However, not even Google can wave its proverbial hand and change how modem firmware is written—we’re talking about tens of megabytes of executable machine code, which is a lot. Not only would it be a herculean task to update decades of work, but many of the companies involved also consider the inner workings of modems to be trade secrets.
To protect the Pixel modem from zero-day attacks, Google focused on the DNS parser. As cellular features have migrated to data networks, DNS has become a core part of how phones work. Google explains that DNS requires parsing of untrusted data, and that makes it a major security concern, but it’s one you can solve with Rust.
Google chose the hickory-proto open source Rust DNS library, which is not particularly optimized but has broad adoption and support. The modem in Pixel phones is not a memory-constrained environment, which allowed the team to tack on a Rust component to make DNS in the existing code safer. The team stripped out the standard library dependencies, allowing it to compile to machine code for faster operation, which was then grafted onto the existing C/C++ modem code. In total, the Rust components added 371KB, which is workable in the Pixel modem.
Under this system, any attempt to trigger a vulnerability by manipulating memory runs into the Rust wall—it can’t be affected by malicious DNS packets. The Pixel 10 phones are the first to ship with this safer modem implementation. Google hopes this work will allow other platforms to make similar improvements, but the company notes the size of its chosen Rust library could be a problem for simpler embedded systems. It may be possible to address that by making the library more modular in the future. Google also sees this work as a foundation for integrating more memory-safe components into the cellular baseband in time.
