[jgw]

No, I don't think you're seeing the proposed attack here. As I understand it:

1. A company tapes out their chip to be fabbed, as most chips are, off-shore. The design is clean.

2. The backdoor is added after it is out of the company's hands -- say, by the fab. A single register and some wiring are not that difficult to add by hand to the design masks -- effectively, it's just an ECO.

Post tape-out tampering is a mounting concern for our clients. [EDIT: I work for an ASIC Design & Verification consultancy]