Under certain circumstances it is possible to inspect a binary image and guarantee that it obeys the privilege restrictions. A control flow analysis must be performed to ensure that no branches outside the handler take place. In order to limit the run time, loops are required to have fixed starting and ending values and backward branches (and register indirect branches) are disallowed. Register indirect memory accesses have to be done by a routine within the OS that verifies that the access is legal. Essentially, register indirect memory accesses are interpreted [20].
We feel that the restrictions which would have to be placed on code so it can be inspected (in finite time!) are too limiting for the types of handlers we anticipate. For this reason, we will not consider code inspection any further.
A variation of this is proof carrying code [68]. The code to be inserted carries a proof that it does not violate the policies set forth by the executor (the kernel in our case). The proof should be easy to verify and guarantee that the code is safe to execute. This research is still in its very infancy, but might be applicable to small handlers.