Application Isolation
So how do I know that the apps I’m running on my Ledger devices are doing what I intend them to do? What protects me from getting a virus on my Ledger devices?
User mode, Supervisor mode
Ledger solves these problems by utilizing the application isolation technology available in the Secure Element - the ARM Memory Protection Unit and Operating Modes. The Memory Protection Unit is used to natively isolate each app to its own memory region, and apps run in User mode whereas the operating system runs in Supervisor mode. By restricting the device to a single-task model where only one app can run at a time, and each app is isolated from the rest of the device, apps are prevented from accessing your cryptographic secrets on the device unless you explicitly give them permission to.
Syscall
Since Ledger OS was designed based on a single-task model where only one app runs at any given time, an application is independently responsible for a lot of the things a typical OS would do. These things include managing hardware like the device screen, buttons, timer, etc. as well as handling all I/O with peripherals. However, there are many instances where a Ledger OS application has to request the operating system to perform a certain operation. This is done using a syscall.
When an application performs a syscall, the Secure Element switches to Supervisor mode and the OS performs the requested task before giving control back to the application, in User mode. All syscalls have a wrapper function in the SDK that can be used to invoke them. A syscall may be used to access hardware accelerated cryptographic primitives (most of these functions are defined in include/cx.h
in the SDKs), to perform low-level I/O operations (like receiving / transmitting to the MCU), or to access cryptographic secrets managed by Ledger OS (for example, to derive a node from the BIP 32 master node).
Accessing secrets
The access that applications have to cryptographic secrets managed by the operating system can be configured when loading an application onto the device (this is actually a required metadata for an application to be deployed). Instead of accessing secrets like the device’s master seed directly, applications instead have to use syscalls, i.e to request the operating system to derive a node from the master seed by providing the operating system with a path to the requested node. When the application is loaded, the BIP 32 paths that the application is permitted to derive nodes from are specified. If the application requests the operating system to derive a node on a path that it is not permitted to use, the request is denied.
This way, many different applications can be loaded onto the device, and each of them can be restricted to a specific subtree of the HD tree depending on the application’s purpose.
Conclusion
Still, the importance of only installing apps that you can trust should not be understated. In the next section, we’ll talk about how Ledger’s operating system provides attestation features that allow the device to verify the authenticity of the apps that you’re installing by checking a digital signature that is sent along with apps when they’re loaded onto the device. Additionally, we’ll discuss how Ledger’s platform is open-source friendly which enables you to review the apps that you’re using to manage your assets.