Google adds Rust support to Pixel baseband, boosting security and performance.

Google’s decision to embed a Rust‑based DNS parser in the Pixel 10 baseband marks a concrete step toward reducing the attack surface of one of the most vulnerable components in a smartphone. The move follows the Pixel 9 rollout, which introduced mitigations for a broad class of memory‑safety bugs, but left the bulk of the modem firmware still written in C/C++—languages that are prone to buffer overflows and use‑after‑free errors. By swapping the DNS stack for a memory‑safe implementation, Google aims to eliminate an entire category of exploits that have already proven viable in the wild; Project Zero, for example, achieved remote code execution on Pixel modems over the Internet, underscoring the urgency of the problem (Google Pixel Team, “Bringing Rust to the Pixel Baseband”).

The choice of DNS as the first target is strategic. Modern cellular networks rely on DNS not only for web browsing but also for core telephony functions such as call forwarding, meaning that the modem routinely processes untrusted data from the network. A recent vulnerability, CVE‑2024‑27227, demonstrated how a memory‑unsafe DNS parser could be weaponized, prompting Google to prioritize a safer rewrite (Google Pixel Team). After evaluating several open‑source crates, the team settled on the hickory‑proto library, citing its robust maintenance record, over 75 % test coverage, and widespread adoption in the Rust ecosystem. Although hickory‑proto originally lacked no_std support—a requirement for bare‑metal environments—the engineers contributed upstream patches that added this capability, along with related changes to rust‑url and ipnet, thereby extending the benefits of no_std to other projects (GitHub PR #2104, #831, #58).

From a performance and size perspective, the Rust integration appears viable for a constrained firmware environment. The team measured a total code footprint of roughly 371 KB: 4 KB for a thin shim that bridges the modem’s existing C stack to the Rust parser, 17 KB for core Rust runtime components (alloc and compiler_builtins), and 350 KB for the hickory‑proto library and its dependencies. This modest increase is offset by the security gains of eliminating memory‑unsafe code paths, and it aligns with Google’s broader “Deploying Rust in Existing Firmware Codebases” roadmap, which envisions incremental migration of critical subsystems rather than a wholesale rewrite (Google Pixel Team). The modest overhead also suggests that future expansions—such as moving additional protocol handlers or even the entire baseband stack to Rust—could be pursued without prohibitive resource costs.

Analysts see the Rust adoption as part of a larger industry trend toward memory‑safe languages in low‑level firmware, a shift driven by the rising sophistication of modem‑targeted attacks. While Google has not disclosed a timeline for broader migration, the Pixel 10 implementation serves as a proof‑of‑concept that could influence other OEMs and chipset vendors. The company’s public documentation emphasizes that the Rust DNS parser “significantly reduces our security risk” and “lays the foundation for broader adoption of memory‑safe code in other areas,” hinting at a phased strategy that could eventually encompass the entire baseband firmware (Google Pixel Team). If successful, this approach may set a new baseline for security expectations in flagship smartphones, pressuring competitors to follow suit or risk falling behind on a critical front of device integrity.

From a market standpoint, the enhancement could bolster consumer confidence in Pixel’s security pedigree, a differentiator that Google has leveraged in its premium pricing strategy. The move also dovetails with the broader push for on‑device privacy and data protection, areas where the baseband has historically been a blind spot. By publicly chronicling the technical steps—library selection, no_std porting, and code‑size analysis—Google not only demonstrates transparency but also provides a template for the industry, potentially accelerating the adoption curve for Rust in embedded systems. The tangible security benefits, combined with a manageable footprint, make the Rust DNS parser a noteworthy milestone in the ongoing effort to harden mobile infrastructure against an expanding threat landscape.