Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for enveloping a thread of execution within an IDT-based secure sandbox. In one aspect, embodiments of the invention provide that a request is received from an application, the request being generated using an application programming interface of a device driver. After the request is received a call gate descriptor for a call gate is added to a segment descriptor table for the application. The call gate descriptor specifies: (a) that the call gate can be called from a first privilege level of the application; and (b) that the call gate requests a second privilege level higher that the first privilege level. A call gate selector for the call gate descriptor is provided to the application in response to the request.