Franz, MichaelHerrmann, KorbinianBrügge, Bernd2019-05-062019-05-062008978-3-88579-215-4https://dl.gi.de/handle/20.500.12116/22221In many of today’s application programs, security functionality is inseparably intertwined with the actual mission-purpose logic. As a result, the trusted code base is unnecessarily large and audit costs are high. We present a software architecture in which applications can be completely untrusted, even when they manipulate secrets. Key to our approach is the use of a trusted multi-level security virtual machine, inside of which all secrets remain locked at all times. In an experimental prototype, we were able to bring down the run-time overhead much lower than expected, by using aggressive dynamic compilation and static analysis techniques.enText/Conference Paper1617-5468