The goal of detecting modifications, such as unauthorized modifications for example, of the code and / or behavior of an embedded device (e.g., unexpected / unauthorized remote
reprogramming, re-flashing), changes to code at run-time (e.g.,
code injection,
software parameter changes due to run-time reconfiguration commands), execution of unauthorized code, activation of hardware Trojans, and other attacks on the hardware and / or
software of embedded devices (or more generally, for determining an aspect of behavior of an embedded device and / or an
embedded system) is solved by (1) injecting at least one of (A) code and / or (B) inputs into the
embedded system to cause the
embedded system, when functioning as desired, to exhibit an identifiable baseline behavior determined from a sequence of patterns (also referred to as “fiduciary markers”) in
observable side channel emissions of the embedded
system; (2) measuring side channel emissions generated by the embedded
system when the at least one of (A) code and / or (B) inputs is injected; (3) extracting features from the measured side channel emissions; and (4) determining the aspect of the behavior of the embedded
system by analyzing the extracted features with respect to features of the baseline behavior.