This work identifies a novel software-defined hardware aging attack—“targeted wearout attack”—exploiting negative-bias temperature instability (NBTI) in nanoscale CMOS microprocessors. Unlike prior assumptions that aging is uncontrollable and non-exploitable, this attack enables unprivileged software to selectively accelerate aging of critical logic paths (e.g., RISC-V multiply-accumulate pipelines), inducing silent data corruptions. Methodologically, it integrates transistor-level NBTI modeling, microarchitectural analysis, and stress-driven workload synthesis to achieve functional-unit-level aging manipulation. Experimental evaluation demonstrates over 7× acceleration in aging rate along targeted paths and reproducible, predictable computational failures under co-located benign workloads. Crucially, this work formally establishes aging as a controllable attack surface—a paradigm shift from conventional hardware security assumptions—and introduces a new framework for cross-layer security assessment integrating software, microarchitecture, and device physics.

Negative-Bias Temperature Instability is a dominant aging mechanism in nanoscale CMOS circuits such as microprocessors. With this aging mechanism, the rate of device aging is dependent not only on overall operating conditions, such as heat, but also on user controllable inputs to the transistors. This dependence on input implies a possible timing fault-injection attack wherein a targeted path of logic is intentionally degraded through the purposeful, software-driven actions of an attacker, rendering a targeted bit effectively stuck. In this work, we describe such an attack mechanism, which we dub a "$ extbf{Targeted Wearout Attack}$", wherein an attacker with sufficient knowledge of the processor core, executing a carefully crafted software program with only user privilege, is able to degrade a functional unit within the processor with the aim of eliciting a particular desired incorrect calculation in a victim application. Here we give a general methodology for the attack. We then demonstrate a case study where a targeted path within the fused multiply-add pipeline in a RISC-V CPU sees a $>7x$ increase in wear over time than would be experienced under typical workloads. We show that an attacker could leverage such an attack, leading to targeted and silent data corruption in a co-running victim application using the same unit.