A security device includes an interface and a processor. The interface is configured for connecting to a bus that serves one or more peripheral devices, at least one of the peripheral devices being a memory device. The processor is connected to the bus in addition to the peripheral devices, and is configured to hold a definition that distinguishes between authorized and unauthorized transactions with the memory device, to identify on the bus a transaction in which a bus-master device attempts to access the memory device, and to initiate a responsive action in response to identifying that the transaction is unauthorized in accordance with the definition.
展开▼