The tools above are not just for design. They are also how attacks and defenses are reasoned about.
- Power-trace analysis. A chip's supply current is filtered by the impedance of package, PCB, and decoupling caps. Attackers deconvolve to recover the original chip current. This is Thevenin applied as a measurement problem: the chip is a current source; the package is its Thevenin source impedance; the attacker estimates and inverts that impedance. Defenders use lots of decoupling (low-pass filtering) to make recovery hard.
- EM-emanation analysis (TEMPEST). A loop on a PCB is an antenna whose impedance, resonance, and Q show up in radiation patterns. Q-factor reasoning predicts which frequencies a board emits most strongly; attackers tune their antennas to those.
- Glitching attacks. Drop the supply briefly. The power network has a finite response time set by L and C. Too short and the chip rides through; too long and many things crash. The attacker is solving for the supply step response, with the chip's logic threshold as the design parameter.
- Rowhammer. Repeated toggling of a DRAM row creates EM and capacitive disturbance on neighbors. The mutual impedance between rows ( in a two-port view) determines bit-flip probability; smaller nodes have tighter coupling.
- TDR. Used offensively to find taps and defensively to detect tampering by comparing TDR traces against a baseline.
- Side-channel ringdown. The underdamped RLC ring of the supply network after each clock edge is distinctive enough to fingerprint chips and operations. The ring's Q is read off the schematic.