To be trustworthy, security-sensitive applications must be formally verified and hence small and simple (i.e., 'wimpy') . Thus they cannot rely on a variety of basic services available only in large commodity systems (i.e., in 'giants'). To survive, the wimps must securely compose with ('dance with') giants; i.e., rely on giants’ services but only after efficiently verifying their results. This paper presents a security architecture that provides a variety of on-demand isolated I/O channels for wimps, without bloating the underlying trusted computing base. We design and implement a wimpy kernel, which runs on the top of a micro-hypervisor and guarantees I/O channel isolation. We minimize the size and complexity of the wimpy kernel by safely outsourcing and deprivileging most device driver subsystem functions to an untrusted commodity OS and the user-level code. We illustrate the concrete implementation of the wimpy kernel for a major I/O subsystem, namely USB subsystem, and a variety of device drivers. Our experimental measurements exhibit the desired minimality and efficiency of the trusted base.