A Virtual Machine (VM) executes software programs as if it were a physical machine. The programs that are executed by the VM are limited to the resources provided by the VM. Applications use security models to control outside program access to internal resources. For some programs, or principals, a model may be used to represent a set of objects that untrusted principals interact with. For example, web browsers use a Document Object Model (DOM) to represent web pages that can be manipulated by principals written in a scripting language. These untrusted programs may be subject to a security policy that restricts which objects they can interact with. These security policies are partly enforced by bindings that control what resources are accessible to a VM. For example, a binding for a scripting program allows access only to DOM elements from the same origin as the page containing the scripting program (same origin policy).
A problem arises if multiple heterogeneous VMs are to interact with the same model. Heterogeneous VMs refer to VMs for different languages that may interact differently with a security model, or require different ways to enforce security. For example, a Python® VM may interact with the DOM in a different way than a JavaScript® VM. Each VM interacts with the model in different ways with potentially different programming languages or execution formats, but the programs running on the VMs must remain subject to the same security policy. However, the security policy cannot be fully enforced within the model itself, because the restrictions it enforces must take into account which VM, or principal running in a VM, is active at a given time. In contrast, plugins must implement their own security policies for interactions with elements in the DOM, leading to potential differences between security models.
Also, plugins have indirect and incomplete bindings to the DOM. For example, in order for a plugin to interact with DOM elements on the same web page or alongside a scripting program, a separate operating process may have to make an indirect call out to the layout engine that implements the DOM, which then sends instructions to other elements in the webpage.