In an era where smartphone operating systems are fortified with advanced security measures, attack vectors targeting the modem remain a significant concern. Recent findings from Google’s Project Zero team have revealed that remote code execution vulnerabilities exist on the modems of Pixel phones, prompting a critical reassessment of security protocols for these essential low-level systems. Instead of completely rewriting the modem software, Google has chosen to integrate a safer Rust-based component into the Pixel 10 modem.

Cellular modems operate as a complex, often opaque system. They run on baseband software that predominantly utilizes legacy C and C++ code, which presents a growing temptation for malicious actors due to its inherent vulnerabilities. The primary issue lies in the challenging memory management associated with these languages, often leading to memory-unsafe firmware that can be exploited through serious vulnerabilities like buffer overflows and memory leaks.

Despite the evident risks, the continued reliance on this legacy code can be attributed to the inertia present within embedded systems. Modem firmware has been developed according to 3GPP specifications for decades, accumulating substantial technical debt over time. Additionally, the real-time operational requirements of modems necessitate the speed offered by C/C++ code.

Google’s recent hack demonstration involving the Pixel’s Exynos-based modem is not an isolated incident. The Project Zero researchers have uncovered over two dozen vulnerabilities in Exynos modems over recent years, 18 of which have been classified as “severe.” While these vulnerabilities were patched upon discovery, the intricate nature of modem code suggests that further threats may remain undiscovered.

Adopting Rust for Improved Security

Enhancing modem safety involves tackling these memory vulnerabilities, and Rust emerges as a strong candidate for this purpose. While it’s not the only memory-safe programming language—others like Python and C also exist—Rust distinguishes itself by eschewing garbage collection. Instead, it employs a borrow checker that ensures memory safety at compile time. This rigorous system prevents developers from neglecting memory management, thereby avoiding potential pitfalls.

However, transitioning to Rust is not a simple endeavor. The existing modem firmware comprises millions of lines of code, making any overhaul a monumental challenge. Moreover, many companies involved treat the inner workings of their modems as proprietary information, complicating any potential updates.

To mitigate the risk of zero-day attacks on the Pixel modem, Google has decided to focus on the DNS parser. As mobile features have increasingly migrated to data networks, DNS has become integral to smartphone operations. Google emphasizes that DNS operations involve parsing data from untrusted sources, which presents significant security challenges that can be addressed using Rust.

The company opted for the hickory-proto open-source Rust DNS library, which, despite lacking optimization, boasts widespread usage and support. Given that the Pixel modem is not constrained by memory limitations, this allowed the team to incorporate a Rust component aimed at enhancing DNS safety within the existing codebase. By stripping out standard library dependencies, the Rust code was compiled into machine code for optimized performance, resulting in a total additional size of 371KB—manageable within the context of the Pixel modem.

This innovative integration creates a robust barrier against potential vulnerabilities, as any attempt to exploit memory through malicious DNS packets is thwarted by the Rust-based system. The Pixel 10 represents the first instance of this enhanced modem architecture being deployed in a consumer product. Google aspires for this initiative to inspire similar advancements across other platforms, even though the chosen Rust library’s size may pose challenges for simpler embedded systems. Future modifications could involve creating a more modular version of the library, paving the way for broader implementation of memory-safe components in cellular baseband systems over time.

Source: Ars Technica News