36th IEEE Computer Security Foundations Symposium July 9 - 13, 2023 - Dubrovnik, Croatia https://www.ieee-security.org/TC/CSF2023/cfp.html We are proud to announce that the CSF 2021 paper "Verifying Hyperproperties with Temporal Logic of Actions (TLA)" by Leslie Lamport and Fred B. Schneider won the NSA 10th Annual Best Scientific Cybersecurity Paper Competition. Congratulations! The Computer Security Foundations Symposium (CSF) is an annual conference for researchers in computer security, to examine current theories of security, the formal models that provide a context for those theories, and techniques for verifying security. It was created in 1988 as a workshop of the IEEE Computer Society's Technical Committee on Security and Privacy, in response to a 1986 essay by Don Good entitled "The Foundations of Computer Security—We Need Some." The meeting became a "symposium" in 2007, along with a policy for open, increased attendance. Over the past two decades, many seminal papers and techniques have been presented first at CSF. For more details on the history of the symposium, visit CSF's home. The program includes papers, panels, and a poster session. Topics of interest include access control, information flow, covert channels, cryptographic protocols, database security, language-based security, authorization and trust, verification techniques, integrity and availability models, and broad discussions concerning the role of formal methods in computer security and the nature of foundational research in this area. Important Dates AoE (UTC-12h) Spring cycle paper submission May 13, 2022 Spring cycle author notification July 15, 2022 Fall cycle paper submission September 30, 2022 Fall cycle author notification December 2, 2022 Winter cycle paper submission February 3, 2023 Winter cycle author notification April 7, 2023 CSF Symposium July 9 - 13, 2023 Sponsored by IEEE Computer Society's Technical Commitee on Security and Privacy. CSF 2023 continues to have rolling deadlines. Starting from CSF 2020, CSF has started to invite submissions three times a year: Spring, Fall, and Winter. Dates and detailed submission instructions appear later in this document. Call for Papers Proceedings will be published by the IEEE Computer Society Press and will be available at the symposium. Some small number of papers will be selected by the Program Committee as "Distinguished Papers". Topics New results in security and privacy are welcome. We also encourage challenge/vision papers, which may describe open questions and raise fundamental concerns about security and privacy. Possible topics for all papers include, but are not limited to: access control accountability anonymity attack models authentication blockchains and smart contracts cloud security cryptography data provenance data and system integrity database security decidability and complexity decision theory distributed systems security electronic voting embedded systems security forensics formal methods and verification hardware-based security information flow control intrusion detection language-based security mobile security network security privacy security and privacy aspects of machine learning security and privacy for the Internet of Things security architecture security metrics security policies security protocols software security socio-technical security trust management usable security web security SoK papers: Systematization of Knowledge Papers CSF'23 solicits systematization of knowledge (SoK) papers in foundational security and privacy research. These papers systematize, re-formulate, or evaluate existing work in one established and significant research topic. Such papers must provide new insights. Survey papers without new insights are not appropriate. Papers trying to identify robust foundations of research areas still lacking them are particularly welcome. Submissions will be distinguished by the prefix "SoK:" in the title and a checkbox on the submission form. Special Sessions This year, we strongly encourage papers in three foundational areas of research we would like to promote at CSF by means of special sessions. Special sessions serve to identify selected research topics of particular interest to the community. Papers submitted to special sessions are expected to comply with the same requirements as other papers. This year, we have the following special sessions: BLOCKCHAIN AND SMART CONTRACTS (Session Chairs: Matteo Maffei and Andrea Marin). Many challenges arise with the rapid development of the blockchain technology and its main application: smart contract. The need for formal foundations for the security and privacy of blockchains and smart contracts. We invite submissions on foundational work in this area. Topics include security and privacy issues, analysis and verification of existing solutions, design of new systems, broader foundational issues such as how blockchain mechanisms fit into larger distributed ecosystems and foundational security aspects of applications built on top of blockchain mechanisms, new programming languages for smart contracts, and formal analysis of smart contracts. QUANTITATIVE METHODS FOR SECURITY (Session Chairs: Mario Alvim and Catuscia Palamidessi). Security and privacy systems often present aspects that can be better understood and formalized by means of quantitative notions. For example, several protocols for controlling the information leakage use randomized techniques to protect the secret, and their properties can be elegantly captured using information theory. Similarly, mechanisms for differential privacy protect individual data by adding random noise to the result of a query, and the properties are expressed in terms of likelihoods. We invite submission in this area. Topics include, but are not limited to, quantitative information flow, metrics for security, trust and privacy, differential privacy, and methods for the analysis and verification of quantitative properties. This special session is dedicated to the memory of our colleague Geoffrey Smith, whose scientific contributions to the field of quantitative methods for security are numerous and fundamental. Geoffrey passed away in 2021, but his brilliant mind, his intellectual honesty, and his gentleness remain an inspiration to us all. CRYPTOGRAPHY (Session Chairs: Pascal Reisert and Peter Schwabe). Cryptography is at the heart of many security- and privacy-critical systems. As such it is an integral part of the field of security and privacy. While modern cryptography is built on firm theoretical foundations, new applications frequently need new cryptographic solutions, new security definitions, models, and proof techniques and tools. We invite submissions in this area. Topics include, but are not limited to, the design and analysis of cryptographic protocols, new cryptographic frameworks and proof techniques, including composability as well as automated, tool-supported analysis and verification of cryptographic primitives and protocols. These papers will be reviewed under the supervision of the special session chairs. They will be presented at the conference, and will appear in the CSF proceedings, without any distinction from the other papers. Ethics We expect authors to carefully consider and address the potential harms associated with carrying out the research, as well as the potential negative consequences that could stem from publishing their work. Failure to do so will result in summary rejection of a submission regardless of its quality and scientific value. Although causing controlled harm is sometimes a consequence of legitimate scientific research in computer security and privacy, authors are expected to document how they have addressed and mitigated the risks. This includes, but is not limited to, considering the impact of their research on deployed systems, understanding the costs and risks their research imposes on others, safely and appropriately collecting data, and following responsible disclosure. If the submitted research has the potential to cause harm, the paper should include a clear statement about why the benefit of the research outweighs the harms, and how the authors have taken measures and followed best practices to ensure safety and minimize the harms caused by their research. If the submitted research has potential to cause harm, and authors have access to an Institutional Review Board (IRB), we expect that this IRB is consulted and its approval and recommendations are documented in the paper. We note however that IRBs are not expected to understand computer security research well or to know about best practices and community norms in our field, so IRB approval does not absolve researchers from considering ethical aspects of their work. In particular, IRB approval is not sufficient to guarantee that the PC will not have additional concerns with respect to harms associated with the research. We encourage the authors to consult with existing documentation, e.g., Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them or the Menlo Report and existing Safety consultation entities, e.g., the Tor Safety Research Board. These can help in thinking about potential harms, and in designing the safest experiments and disclosure processes. Important Dates AoE (UTC-12h) Spring cycle: May 13, 2022: paper submission deadline July 15, 2022: author notification Fall cycle: September 30, 2022: paper submission deadline December 2, 2022: author notification Winter cycle: February 3, 2023: paper submission deadline April 7, 2023: author notification Paper Submission Instructions Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with published proceedings. Papers must be submitted using the two-column IEEE Proceedings style available for various document preparation systems at the IEEE Conference Publishing Services page. All papers should be at most 12 pages long, not counting bibliography and well-marked appendices. Anonymized supplementary material such as proof scripts can be uploaded as a tar ball on the submission site. Committee members are not required to read appendices, and so the paper must be intelligible without them. Papers submitted to any of the special sessions must be marked as such via the appropriate checkbox. Papers failing to adhere to any of the instructions above will be rejected without consideration of their merits. At least one coauthor of each accepted paper is required to attend CSF to present the paper. In the event of difficulty in obtaining visas for travel, exceptions can be made and will be discussed on a case-by-case basis. CSF'23 will employ double-blind reviewing. Submitted papers must (a) omit any reference to the authors' names or the names of their institutions, and (b) reference the authors' own related work in the third person (e.g., not "We build on our previous work ..." but rather "We build on the work of ..."). Nothing should be done in the name of anonymity that weakens the submission or makes the job of reviewing the paper more difficult (e.g., important background references should not be omitted or anonymized). Please see our frequently asked questions (FAQ) that address many common concerns. When in doubt, contact the program chairs. Decisions The outcome of the review process can be one of the following three: accept, reject, major revision. In some occasions, accepted papers are shepherded for minor modifications. Major revisions Papers with "major revision" decision must be re-submitted within the following two cycles, accompanied by a writeup explaining how the revision meets reviewers' revision requirements. These papers will be reviewed by the same reviewers as those for the initial submission. They may use 16 pages in the usual IEEE template, but the 16 pages should contain everything, in particular bibliography and appendix (if any). In other words, revisions should be prepared as if they were camera-ready papers. For additional material authors may point to technical reports or supply additional material when submitting the paper. Reviewers are, however, not obliged to read this material. Authors should submit their revision as a new paper (rather than updating the previous submission) and mark it as "major revision". For major revision papers the submission system will ask authors to provide additional information in a textbox, such as the cycle and the submission number of the previous submission. The possible decisions for such resubmitted revised papers are the following: accept (possibly with shepherding) or reject, i.e., a major revision decision is excluded. Like all papers, major revision papers can be withdrawn from the conference at any time. Major revision papers not re-submitted within the following two cycles will be considered new submissions, reviewed by serving PC members. A writeup explaining how the revision meets previous reviewers' revision requirements is optional. The layout of these papers has to follow the guidelines for regular submissions, in particular, for these papers the limit of 12 pages applies. Resubmissions of rejected papers Rejected papers can be re-submitted at any time. If a rejected paper is re-submitted within 11 months of the last deadline they were submitted to (e.g., rejected submissions to Sep 2021 is resubmitted to May 2022 deadline), reviews and a writeup explaining how the current submission addresses concerns in the reviews must be submitted as supplementary material. The paper will be desk-rejected by the PC chairs if previous reviews or the explanation is missing. We may use a different set of reviewers for re-submissions. All resubmissions of rejected papers can optionally submit reviews from previous submissions and a writeup explaining how the current submission addresses concerns in the reviews as supplementary material. In any case, previously rejected papers should follow the paper submission instructions of regular submissions. In particular, the same page limit and format applies and submissions should be anonymized.