Process isolation protects kernel from applications protects applications from each other uses an address space for every process introduces context switches (usermode and kernelmode, between processes) introduces kernel System Call interface VM isolation (V8) JavaScript is "safe" language V8 compiles JavaScript into trusted native code sandbox, VM controls everything program is allowed to do ofte