Analog Malicious Hardware. In this paper, we show how a fabrication-time attacker can
leverage analog circuits to create a hardware attack that is
small and stealthy. pdf 
Behavior model of proposed analog trigger circuit.
In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value.
We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor.
To demonstrate that our attack works for real chips, we
implement a privilege escalation attack in the OR1200
open source processor. We attach our capacitor to a signal
that infrequently toggles with normal software, but toggles
at a high rate with specially-crafted, usermode trigger programs. wikipedia
Our results expose two weaknesses in current malicious hardware defenses.
First, existing defenses analyze the digital behavior of a circuit using functional simulation or the analog behavior of a circuit using circuit simulation.
Second, the minimal impact on the runtime properties of a circuit suggests that it is an extremely challenging task for side-channel analysis techniques to detect this new class of attacks.
We believe that our results motivate a different type of defense; a defense where trusted circuits monitor the execution of untrusted circuits, looking for outof-specification behavior in the digital domain.
This work was supported in part by C-FAR, one of the
six SRC STARnet Centers, sponsored by MARCO and
DARPA. site