In many of today's application programs, security functionality is inseparably intertwined with the actual mission-purpose logic. As a result, the trusted code base is unnecessarily large and audit costs are high. We present a software architecture in which applications can be completely untrusted, even when they manipulate secrets. Key to our approach is the use of a trusted multi-level security virtual machine, inside of which all secrets remain locked at all times. In an experimental prototype, we were able to bring down the run-time overhead much lower than expected, by using aggressive dynamic compilation and static analysis techniques.