Google ports a Rust DNS parser into the Pixel modem to cut memory-safety risk

What happened

Google’s Pixel team has moved a DNS parser for the cellular baseband modem from memory-unsafe code into Rust. The company says this reduces a whole class of memory-safety bugs inside a notoriously risky component of the phone. It has been reported that Project Zero previously achieved remote code execution on Pixel modems over the Internet — a reminder that the modem is a juicy target for attackers and defenders alike.

Why DNS, and why Rust?

DNS might sound boring, but it’s everywhere — even in basic cellular features like call forwarding. DNS parsing involves handling untrusted, messy input. Get that wrong in C or C++, and you get CVE headlines (see CVE-2024-27227). Rust’s memory safety model fundamentally changes the failure mode. So: why not move risky parsers into a language that avoids whole categories of bugs? Makes sense. Fast follow, right?

The engineering move

Google evaluated existing Rust crates and picked hickory-proto for its maintenance and test coverage. The team also retrofitted no_std support for hickory-proto and some dependencies so the code could run on bare-metal modem firmware — work contributed upstream via PRs to hickory-dns, rust-url and ipnet. That’s important: this isn’t a one-off fork. It’s community work that others can use.

Trade-offs and the road ahead

There’s a cost. A prototype build tallied roughly 371 KB of additional code (4 KB shim, 17 KB core/runtime, 350 KB library + deps). Pixel’s modem isn’t tight on memory, so Google prioritized community support and correctness over size-tweaks — but that extra footprint could be a deal-breaker for smaller embedded devices. Still, the move feels like a watershed: practical Rust in a live modem stack. Will others follow? If history is any guide, once safety proves itself in high-profile places, adoption accelerates.

Sources: security.googleblog.com, Lobsters