Secure systems are best built on top of a small trusted operating system: The smaller the operating system, the easier it can be assured or verified for correctness. In this paper, we oppose the view that virtual-machine monitors (VMMs) are the smallest systems that provide secure isolation because they have been specifically designed to provide little more than this property. The problem with this assertion is that VMMs typically do not support interprocess communication, complicating the use of untrusted components inside a secure systems. We propose extending traditional VMMs with features for secure message passing and memory sharing to enable the use of untrusted components in secure systems. We argue that moving system components out of the TCB into the untrusted part of the system and communicating with them using IPC reduces the overall size of the TCB. We argue that many secure applications can make use of untrusted components through trusted wrappers without risking securi...