This article proposes a solution to guaranty safe inter- action to components that are willing to collaborate in an extensible operating system that guaranties isolation. We focus on components used in extensible operating systems for smart objects. We propose a simple way to verify the behaviour of some components using an extension of the type system by addition of argument passing mode information to the method signatures (is the argument read, written, or remembered as reference?). We present a formalization of a PCC- like algorithm (off-card proof generator and on-card proof verifier) to statically check the mode type of the components in the Camille exokernel for smart cards. We apply our technique to ensure trust between collaborative real time extensions with the aim of supporting safe dynamic loading of scheduling policy.