MAY 23-27, 2021
42nd IEEE Symposium on
Security and Privacy
Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems.
Topics of interest include:
This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings.
Based on the experience in the past two years, the reviewing process for IEEE S&P is changed to a quarterly submission model. Within 2.5 months of submission, author notifications of Accept/Revise/Reject decisions will be sent out. For each submission, one of the following decisions will be made:
Accept: Papers in this category will be accepted for publication in the proceedings and presentation at the conference, possibly after making minor changes with the oversight of a shepherd. Within one month of acceptance, all accepted papers must submit a camera-ready copy incorporating reviewer feedback. The papers will immediately be published, open access, in the Computer Society’s Digital Library, and they may be cited as “To appear in the IEEE Symposium on Security & Privacy, May 2021”.
Revise: A limited number of papers will be invited to submit a revision; such papers will receive a specific set of expectations to be met by that revision. Authors can submit a revised paper to the next two quarterly submission deadlines after the notification. The authors should clearly explain in a well-marked appendix how the revisions address the comments of the reviewers. The revised paper will then be re-evaluated, and either accepted or rejected.
Reject: Papers in this category are declined for inclusion in the conference. Rejected papers must wait for one year, from the date of original submission, to resubmit to IEEE S&P. A paper will be judged to be a resubmit (as opposed to a new submission) if the paper is from the same or similar authors, and a reviewer could write a substantially similar summary of the paper compared with the original submission. As a rule of thumb, if there is more than 40% overlap between the original submission and the new paper, it will be considered a resubmission.
All papers accepted by February 21, 2021 will appear in the proceedings of the symposium in May 2021 and invited to present their work. These include papers that were submitted in December 2020 and were accepted without revision, or papers that were submitted by June 2020, got the Revise decision, and resubmitted the revised paper in December.
All deadlines are 23:59:59 AoE (UTC-12).
As described above, some number of papers will receive a Revise decision, rather than Accept or Reject. This decision will be accompanied by a detailed summary of the expectations for the revision, in addition to the standard reviewer comments. The authors may prepare a revision, which may include running additional experiments, improving the paper’s presentation, or other such improvements. Papers meeting the expectations will typically be accepted. Those that do not will be rejected. Only in exceptional circumstances will additional revisions be requested. Upon receiving a Revise decision, authors can choose to withdraw their paper or not submit a revision, but they will be asked to not submit the same or similar work again (following the same rules as for Rejected papers) for one year from the date of the original submission. Authors can submit a revised paper to the next two quarterly submission deadlines after the notification. Revisions must be accompanied by a summary of the changes that were made.
After finishing the first three cycles, a total of 77 papers were accepted (including revised papers from the previous year). In total, 643 papers were submitted, resulting in an acceptance rate of 12.0%.
These instructions apply to both the research papers and systematization of knowledge papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.
Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review.
While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper online, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to contact directly the program committee members to discuss their submission.
The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.
During submission of a research paper, the submission site will request information about conflicts of interest of the paper's authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:
For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.
In the interests of transparency and to help readers form their own judgements of potential bias, the IEEE Symposium on Security & Privacy requires authors and PC members to declare any competing financial and/or non-financial interests in relation to the work described. Authors need to include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example, "Author X is on the Technical Advisory Board of the ByteCoin Foundation," or "Professor Y is the CTO of DoubleDefense, which specializes in malware analysis." More information regarding this policy is available here.
Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy to 90 days https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html ahead of publication is consistent with authors’ ethical obligations.
The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Submissions that describe experiments on human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:
If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. The same applies to camera-ready papers, although, at the PC chairs’ discretion, additional pages may be allowed for references and appendices. Reviewers are not required to read appendices.
Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8b. All submissions will be automatically checked for conformance to these requirements. Failure to adhere to the page limit and formatting requirements are grounds for rejection without review.
For papers that were previously submitted to, and rejected from, another conference, authors are required to submit a separate document containing the prior reviews along with a description of how those reviews were addressed in the current version of the paper. Authors are only required to include reviews from the last time the paper was submitted. Reviewers will be asked to complete their reviews before reading the provided supplementary material to avoid being biased in formulating their own opinions; once their reviews are complete, however, reviewers will be given the opportunity to provide additional comments based on the submission history of the paper. Authors who try to circumvent this rule (e.g., by changing the title of the paper without significantly changing the contents) may have their papers rejected without further consideration, at the discretion of the PC chairs.
Authors need to make sure that the prior reviews do not reveal the identity of the authors, the authors need to carefully remove all information that might violate the anonymous submission requirements.
Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.
Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to present the paper at the conference.
|Alina Oprea||Northeastern University|
|Thorsten Holz||Ruhr-Universität Bochum|
|Adam Aviv||The George Washington University|
|Gilles Barthe||MPI-SP and IMDEA Software Institute|
|Lujo Bauer||Carnegie Mellon University|
|Antonio Bianchi||Purdue University|
|Battista Biggio||University of Cagliari|
|Eric Bodden||Paderborn University and Fraunhofer IEM|
|Joseph Bonneau||New York University|
|Kevin Borgolte||Princeton University|
|Ioana Boureanu||University of Surrey|
|Billy Brumley||Tampere University|
|Chris Brzuska||Aalto University|
|Kevin Butler||University of Florida|
|Brent Byunghoon Kang||KAIST|
|Srdjan Capkun||ETH Zurich|
|David Cash||University of Chicago|
|Lorenzo Cavallaro||King's College London|
|Melissa Chase||Microsoft Research Redmond|
|Rahul Chatterjee||University of Wisconsin-Madison|
|Nicolas Christin||Carnegie Mellon University|
|Henry Corrigan-Gibbs||EPFL and MIT CSAIL|
|Manuel Costa||Microsoft Research|
|Cas Cremers||CISPA Helmholtz Center for Information Security|
|Weidong Cui||Microsoft Research|
|Rachel Cummings||Georgia Institute of Technology|
|Anupam Das||North Carolina State University|
|Nathan Dautenhahn||Rice University|
|Emiliano De Cristofaro||University College London|
|Brendan Dolan-Gavitt||New York University|
|Adam Doupé||Arizona State University|
|Markus Dürmuth||Ruhr-Universität Bochum|
|Giulia Fanti||Carnegie Mellon University|
|Sebastian Faust||TU Darmstadt|
|Kassem Fawaz||University of Wisconsin-Madison|
|Tobias Fiebig||TU Delft|
|Anders Fogh||Intel Corporation|
|Cedric Fournet||Microsoft Research|
|Michael Franz||University of California Irvine|
|Matt Fredrikson||Carnegie Mellon University|
|Adria Gascon||Google Research|
|Arthur Gervais||Imperial College London|
|Neil Gong||Duke University|
|Guofei Gu||Texas A&M University|
|Andreas Haeberlen||University of Pennsylvania|
|Matthew Hicks||Virginia Tech|
|Thorsten Holz chair||Ruhr-Universität Bochum|
|Amir Houmansadr||UMass Amherst|
|Catalin Hritcu||Max Planck Institute for Security and Privacy (MPI-SP)|
|Tibor Jager||Bergische Universität Wuppertal|
|Suman Jana||Columbia University|
|Limin Jia||Carnegie Mellon University|
|Aniket Kate||Purdue University|
|Stefan Katzenbeisser||University of Passau|
|Yongdae Kim||Korea Advanced Institute of Science and Technology (KAIST)|
|David Kohlbrenner||UC Berkeley|
|Katharina Krombholz||CISPA Helmholtz Center for Information Security|
|Ralf Kuesters||University of Stuttgart|
|Boris Köpf||Microsoft Research|
|Qi Li||Tsinghua University|
|Frank Li||Georgia Institute of Technology|
|Xiaojing Liao||Indiana University Bloomington|
|David Lie||University of Toronto|
|Zhiqiang Lin||The Ohio State University|
|Martina Lindorfer||TU Wien|
|Matteo Maffei||TU Wien|
|Sergio Maffeis||Imperial College London|
|Clémentine Maurice||CNRS, IRISA|
|Michelle Mazurek||University of Maryland|
|Damon McCoy||New York University|
|Andrew Miller||University of Illinois at Urbana-Champaign|
|Nick Nikiforakis||Stony Brook University|
|Guevara Noubir||Northeastern University|
|Olga Ohrimenko||The University of Melbourne|
|Alina Oprea chair||Northeastern University|
|Yossi Oren||Ben-Gurion University|
|Nicolas Papernot||University of Toronto and Vector Institute|
|Paul Pearce||Georgia Tech and ICSI|
|Marcus Peinado||Microsoft Research|
|Giancarlo Pellegrino||CISPA Helmholtz Center for Information Security|
|Roberto Perdisci||University of Georgia|
|Frank Piessens||KU Leuven|
|Benny Pinkas||VMware Research / Bar Ilan University|
|Jason Polakis||University of Illinois at Chicago|
|Michalis Polychronakis||Stony Brook University|
|Christina Pöpper||New York University Abu Dhabi|
|Zhiyun Qian||University of California Riverside|
|Aanjhan Ranganathan||Northeastern University|
|Kasper Rasmussen||University of Oxford|
|Konrad Rieck||TU Braunschweig|
|William Robertson||Northeastern University|
|Christian Rossow||CISPA Helmholtz Center for Information Security|
|Andrei Sabelfeld||Chalmers University of Technology|
|Brendan Saltaformaggio||Georgia Institute of Technology|
|Dominique Schröder||Friedrich-Alexander-Universität Erlangen-Nürnberg|
|Jörg Schwenk||Ruhr-Universität Bochum|
|Vyas Sekar||Carnegie Mellon University|
|Simha Sethumadhavan||Columbia University/Chip Scan|
|Srinath Setty||Microsoft Research|
|Hovav Shacham||The University of Texas at Austin|
|Emily Shen||MIT Lincoln Laboratory|
|Reza Shokri||National University of Singapore (NUS)|
|Yan Shoshitaishvili||Arizona State University|
|Deian Stefan||UC San Diego|
|Ben Stock||CISPA Helmholtz Center for Information Security|
|Thorsten Strufe||Karlsruhe Institute of Technology (KIT) and CeTI/TU-Dresden|
|Gang Tan||Penn State University|
|Vanessa Teague||Thinking Cybersecurity and The Australian National University|
|Yuan Tian||University of Virginia|
|Jonathan Ullman||Northeastern University|
|Selcuk Uluagac||Florida International University|
|Blase Ur||University of Chicago|
|Xiao Wang||Northwestern University|
|Yuval Yarom||University of Adelaide and Data61|
|Yanfang (Fanny) Ye||Case Western Reserve University|
|Heng Yin||UC Riverside|
|Fengwei Zhang||Southern University of Science and Technology (SUSTech)|
|Ben Zhao||University of Chicago|
|Yajin Zhou||Zhejiang University|
|Thyla van der Merwe||Mozilla|