Google’s Chrome browser is trying to take an interesting approach to running native i686 and x86-64 code safely in a sandbox (without needing code signing, so unlike ActiveX).
Essentially they compile C or C++ with a modified gcc that generates a limited subset of machine code which can be easily validated at runtime. This paper and web page explains the precise details:
This code (after validation) can be loaded from a completely untrusted source into one of the web browser’s tabs (most tabs run as separate processes). The untrusted code cannot make syscalls directly or write over any trusted parts of the same process — this is enforced by the validation step. But because it is native machine code (or a large but safe subset thereof) it still runs at just about full native speed.
To perform operations (drawing graphics etc), the untrusted code can only call a limited set of trampolines into the trusted part of the process. These are called “syscalls” but aren’t the same as ordinary OS syscalls. They are more like safe procedure calls between threads in the same process. This “syscall” trampoline is described here:
This is a nice implementation of some old ideas: trusted compilers and code validation have been around for many years, for example on the Burroughs computers and in the JVM respectively.