Abstract: Microkernel OSes separate OS functionalities, including file systems and device drivers, into different user-level services, which mitigates the problem of lacking isolation in monolithic OSes. Nevertheless, from the perspective of applications, compromised services may still threaten applications’ security. Specifically, attackers can utilize vulnerabilities in file systems and disk drivers to leak or manipulate applications’ file content. The key problem is that de-privileging OS services from the kernel level to the user level does not mean the reduction of applications’ trusted computing base (TCB), and applications still need to trust all the required system services. This paper shows a case for providing the file service to applications with minimum TCB on microkernel OSes. Observing that file services actually do not need to access concrete file content, we propose a mechanism named Mirage, which deprives their privilege of accessing file content while preserving their management capability. Mirage efficiently protects the confidentiality and integrity of application files from untrusted services. The evaluation demonstrates that Mirage outperforms an encryption-based mechanism by up to 128% for IO-intensive workloads.