A one-way isolation execution model based on hardware virtualization is proposed. In this model, the security application based on self-requirements can be divided into two parts: host process and security sensitive module (SSM). Isolated execution manager named SSMVisor, as the core component of isolation execution model, provides a one-way isolation execution environment for SSMs, not only to ensure security, but also to allow SSMs to call outside functions. As security application’s trusted computing base (TCB) only includes SSMs and SSMVisor, without operating system and the security unrelated module of the applications, the size of security application’s TCB is reduced effectively. A prototype system is not only compatible with the original operating system, but also light-weight. Experimental results show that the performance overhead of prototype system is very low, about 6.5%.