A separation management system (32) for governing interaction between code within a code base (50) operable on a computer (30) determines a region in a memory (44) of the computer (30) in which the code base (50) resides and defines container boundaries (118, 124, 130, 135) in the region for a plurality of containers (95). Each of the containers (95) contains subsets of the code (120, 126, 132, 137) that cannot be trusted. A policy (94) is created that governs interaction between the subsets of the code in the containers (95). The code base (50) is executed in the computer (30) in accordance with the policy (94) such that the subsets of code within the containers (95) are prevented from accessing code outside of their respective containers (95) when access is disallowable as indicated by the policy (94).