Decided to clear out the discussion of timing attacks from the hosting chapter. I mean, sure, it's an important point. On the other hand, we don't have anything useful to say about them -- you're going to leak some information, in the information-theoretic sense. You can use the "Chinese Wall" policy, but that implies that you can partition your domains into groups with mutual trust -- not an especially likely scenario in the VPS model.
The important thing is really just to remember that information will leak. There's been a lot of work on access controls, but the current Xen policy for dealing with covert channels is still the "Chinese Wall" -- labels to define certain domains that will never be run simultaneously on the same machine. We outline certain controls here, but they're never going to be perfect.
Damnit, I still think we should talk about the security modules at least a little. But I really don't know anything about them.
The biggest problem with the xen 'Chinese Wall' is that it doesn't help you unless you have something that moves DomUs from one server to another without considering who should be on those DomUs. (I believe the Citrix XenSource product has such a mechanism...) The Xen security modules might be a cool platform for doing stuff in the future, but right now, I think it makes more sense to leave the 'what DomU run on what servers' logic to the scripts that move your DomUs from one server to another.