MAY 23-27, 2021

42nd IEEE Symposium on
Security and Privacy

Call For Papers

Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems.

Topics of interest include:

This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.

Systematization of Knowledge Papers

As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings.

Quarterly Submissions

Based on the experience in the past two years, the reviewing process for IEEE S&P is changed to a quarterly submission model. Within 2.5 months of submission, author notifications of Accept/Revise/Reject decisions will be sent out. For each submission, one of the following decisions will be made:

All papers accepted by February 21, 2021 will appear in the proceedings of the symposium in May 2021 and invited to present their work. These include papers that were submitted in December 2020 and were accepted without revision, or papers that were submitted by June 2020, got the Revise decision, and resubmitted the revised paper in December.

Important Dates

All deadlines are 23:59:59 AoE (UTC-12).

Spring Quarter Deadline

Summer Quarter Deadline

Fall Quarter Deadline

Winter Quarter Deadline

Revised Submissions

As described above, some number of papers will receive a Revise decision, rather than Accept or Reject. This decision will be accompanied by a detailed summary of the expectations for the revision, in addition to the standard reviewer comments. The authors may prepare a revision, which may include running additional experiments, improving the paper’s presentation, or other such improvements. Papers meeting the expectations will typically be accepted. Those that do not will be rejected. Only in exceptional circumstances will additional revisions be requested. Upon receiving a Revise decision, authors can choose to withdraw their paper or not submit a revision, but they will be asked to not submit the same or similar work again (following the same rules as for Rejected papers) for one year from the date of the original submission. Authors can submit a revised paper to the next two quarterly submission deadlines after the notification. Revisions must be accompanied by a summary of the changes that were made.

Submission Statistics

After finishing the first three cycles, a total of 77 papers were accepted (including revised papers from the previous year). In total, 643 papers were submitted, resulting in an acceptance rate of 12.0%.

Instructions for Paper Submission

These instructions apply to both the research papers and systematization of knowledge papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.

Anonymous Submission

Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review.

While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper online, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to contact directly the program committee members to discuss their submission.

The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.

Conflicts of Interest

Drawn from the ACM SIGMOD 2015 CFP

During submission of a research paper, the submission site will request information about conflicts of interest of the paper's authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:

  1. The PC member is a co-author of the paper.
  2. The PC member has been a co-worker in the same company or university within the past two years.
    • For student interns, the student is conflicted with their supervisors and with members of the same research group. If the student no longer works for the organization, then they are not conflicted with a PC member from the larger organization.
  3. The PC member has been a collaborator within the past two years.
  4. The PC member is or was the author's primary thesis advisor, no matter how long ago.
  5. The author is or was the PC member's primary thesis advisor, no matter how long ago.
  6. The PC member is a relative or close personal friend of the author.

For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.

Financial and Non-financial competing interests NEW

In the interests of transparency and to help readers form their own judgements of potential bias, the IEEE Symposium on Security & Privacy requires authors and PC members to declare any competing financial and/or non-financial interests in relation to the work described. Authors need to include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example, "Author X is on the Technical Advisory Board of the ByteCoin Foundation," or "Professor Y is the CTO of DoubleDefense, which specializes in malware analysis." More information regarding this policy is available here.

Ethical Considerations for Vulnerability Disclosure

Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days to 90 days ahead of publication is consistent with authors’ ethical obligations.

The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.

Ethical Considerations for Human Subjects Research

Submissions that describe experiments on human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:

  1. Disclose whether the research received an approval or waiver from each of the authors' institutional ethics review boards (IRB) if applicable.
  2. Discuss steps taken to ensure that participants and others who might have been affected by an experiment were treated ethically and with respect.

If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.

Page Limit and Formatting

Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. The same applies to camera-ready papers, although, at the PC chairs’ discretion, additional pages may be allowed for references and appendices. Reviewers are not required to read appendices.

Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8b. All submissions will be automatically checked for conformance to these requirements. Failure to adhere to the page limit and formatting requirements are grounds for rejection without review.

Reviews from Prior Submissions

Drawn from the ACM CCS 2020 CFP, New this year

For papers that were previously submitted to, and rejected from, another conference, authors are required to submit a separate document containing the prior reviews along with a description of how those reviews were addressed in the current version of the paper. Authors are only required to include reviews from the last time the paper was submitted. Reviewers will be asked to complete their reviews before reading the provided supplementary material to avoid being biased in formulating their own opinions; once their reviews are complete, however, reviewers will be given the opportunity to provide additional comments based on the submission history of the paper. Authors who try to circumvent this rule (e.g., by changing the title of the paper without significantly changing the contents) may have their papers rejected without further consideration, at the discretion of the PC chairs.

Authors need to make sure that the prior reviews do not reveal the identity of the authors, the authors need to carefully remove all information that might violate the anonymous submission requirements.


Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.

Conference Submission Server

Publication and Presentation

Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to present the paper at the conference.

Program Committee

PC Chairs

Alina Oprea Northeastern University
Thorsten Holz Ruhr-Universität Bochum

PC Members

Adam Aviv The George Washington University
Davide Balzarotti Eurecom
Gilles Barthe MPI-SP and IMDEA Software Institute
Lujo Bauer Carnegie Mellon University
Karthikeyan Bhargavan Inria
Antonio Bianchi Purdue University
Nataliia Bielova Inria
Battista Biggio University of Cagliari
Eric Bodden Paderborn University and Fraunhofer IEM
Joseph Bonneau New York University
Kevin Borgolte Princeton University
Ioana Boureanu University of Surrey
Billy Brumley Tampere University
Chris Brzuska Aalto University
Kevin Butler University of Florida
Brent Byunghoon Kang KAIST
Srdjan Capkun ETH Zurich
Nicholas Carlini Google
David Cash University of Chicago
Lorenzo Cavallaro King's College London
Melissa Chase Microsoft Research Redmond
Rahul Chatterjee University of Wisconsin-Madison
Nicolas Christin Carnegie Mellon University
Henry Corrigan-Gibbs EPFL and MIT CSAIL
Manuel Costa Microsoft Research
Cas Cremers CISPA Helmholtz Center for Information Security
Weidong Cui Microsoft Research
Rachel Cummings Georgia Institute of Technology
Anupam Das North Carolina State University
Nathan Dautenhahn Rice University
Emiliano De Cristofaro University College London
Brendan Dolan-Gavitt New York University
Adam Doupé Arizona State University
Markus Dürmuth Ruhr-Universität Bochum
Giulia Fanti Carnegie Mellon University
Sebastian Faust TU Darmstadt
Kassem Fawaz University of Wisconsin-Madison
Tobias Fiebig TU Delft
Anders Fogh Intel Corporation
Cedric Fournet Microsoft Research
Michael Franz University of California Irvine
Matt Fredrikson Carnegie Mellon University
Adria Gascon Google Research
Arthur Gervais Imperial College London
Neil Gong Duke University
Guofei Gu Texas A&M University
Andreas Haeberlen University of Pennsylvania
Matthew Hicks Virginia Tech
Thorsten Holz chair Ruhr-Universität Bochum
Amir Houmansadr UMass Amherst
Catalin Hritcu Max Planck Institute for Security and Privacy (MPI-SP)
Luca Invernizzi Google
Tibor Jager Bergische Universität Wuppertal
Suman Jana Columbia University
Limin Jia Carnegie Mellon University
Aniket Kate Purdue University
Stefan Katzenbeisser University of Passau
Yongdae Kim Korea Advanced Institute of Science and Technology (KAIST)
David Kohlbrenner UC Berkeley
Katharina Krombholz CISPA Helmholtz Center for Information Security
Ralf Kuesters University of Stuttgart
Boris Köpf Microsoft Research
Tancrède Lepoint Google
Qi Li Tsinghua University
Frank Li Georgia Institute of Technology
Xiaojing Liao Indiana University Bloomington
David Lie University of Toronto
Zhiqiang Lin The Ohio State University
Martina Lindorfer TU Wien
Matteo Maffei TU Wien
Sergio Maffeis Imperial College London
Clémentine Maurice CNRS, IRISA
Michelle Mazurek University of Maryland
Damon McCoy New York University
Andrew Miller University of Illinois at Urbana-Champaign
Nick Nikiforakis Stony Brook University
Guevara Noubir Northeastern University
Olga Ohrimenko The University of Melbourne
Alina Oprea chair Northeastern University
Yossi Oren Ben-Gurion University
Nicolas Papernot University of Toronto and Vector Institute
Mathias Payer EPFL
Paul Pearce Georgia Tech and ICSI
Marcus Peinado Microsoft Research
Giancarlo Pellegrino CISPA Helmholtz Center for Information Security
Roberto Perdisci University of Georgia
Frank Piessens KU Leuven
Benny Pinkas VMware Research / Bar Ilan University
Jason Polakis University of Illinois at Chicago
Michalis Polychronakis Stony Brook University
Christina Pöpper New York University Abu Dhabi
Zhiyun Qian University of California Riverside
Ananth Raghunathan Google
Aanjhan Ranganathan Northeastern University
Kasper Rasmussen University of Oxford
Mariana Raykova Google
Konrad Rieck TU Braunschweig
William Robertson Northeastern University
Christian Rossow CISPA Helmholtz Center for Information Security
Andrei Sabelfeld Chalmers University of Technology
Brendan Saltaformaggio Georgia Institute of Technology
Dominique Schröder Friedrich-Alexander-Universität Erlangen-Nürnberg
Jörg Schwenk Ruhr-Universität Bochum
Vyas Sekar Carnegie Mellon University
Simha Sethumadhavan Columbia University/Chip Scan
Srinath Setty Microsoft Research
Hovav Shacham The University of Texas at Austin
Emily Shen MIT Lincoln Laboratory
Elaine Shi Cornell
Reza Shokri National University of Singapore (NUS)
Yan Shoshitaishvili Arizona State University
Emily Stark Google
Deian Stefan UC San Diego
Ben Stock CISPA Helmholtz Center for Information Security
Thorsten Strufe Karlsruhe Institute of Technology (KIT) and CeTI/TU-Dresden
Gang Tan Penn State University
Vanessa Teague Thinking Cybersecurity and The Australian National University
Kurt Thomas Google
Yuan Tian University of Virginia
Carmela Troncoso EPFL
Jonathan Ullman Northeastern University
Selcuk Uluagac Florida International University
Blase Ur University of Chicago
Xiao Wang Northwestern University
Yuval Yarom University of Adelaide and Data61
Yanfang (Fanny) Ye Case Western Reserve University
Ting-Fang Yen DataVisor
Heng Yin UC Riverside
Fengwei Zhang Southern University of Science and Technology (SUSTech)
Ben Zhao University of Chicago
Yajin Zhou Zhejiang University
Thyla van der Merwe Mozilla