Commentary and Opinion
Impressions from the first ever online version of the Security and Privacy Symposium
Experience with IEEE Symposium on Security and Privacy, 2020
From the perspective of a speaker and PhD student.
Lesly-Ann Daniel, CEA List
Attending the Conference
I'm glad that I had the chance to attend and present my work at the IEEE Symposium on Security and Privacy. It was my fist time at SP and I really enjoyed the interesting talks and the friendly atmosphere. The fact that the conference was online and had a low registration cost made it a great opportunity for non-speakers to attend. For instance, in my lab, we were encouraged to register for the conference.
The format of the conference, relying on videos for the talks, was probably a good guarantee to get good quality presentations with (almost always) proper sound, and also to avoid technical problems on the speakers side. This planning helped make the whole experience run smoothly without interruption and delay. Sometimes, I found it a bit confusing to know exactly what sessions were currently running because of time zone conversion and potential delays, so the announcements of the sessions on the slack channel were helpful.
While attending the conference, I only had one technical issue which made me miss the introduction of a talk, but fortunately the talks are available on YouTube for replay. Posting replays of the talks has the advantage of making them available for people who cannot attend the conference (and I wish more conference would publish then because I really like watching videos to discover new topics). Moreover, knowing that replays are available makes tough choices less heart-breaking - like whether to attend session eight on fuzzing or on program analysis!
Previews, Presentations, and Papers
I really enjoyed watching the previews for the presentations. They did not influence my choice on which session to attend, but they made me discover new topics, and some of them were really fun. I especially loved the preview for LVI (Load Value Injection): it was fun, original and very well done!
I find the classes of Spectre attacks very interesting and I was really happy that we had a couple of talks about it in the first session. The paper which I liked the most was "Spectector: Principled Detection of Speculative Information Flows" because it is a first step towards automatically detecting vulnerabilities to Spectre attacks in software, and more importantly towards proving their absence. The paper defines speculative noninterference, a property to reason about speculative execution attacks, proposes a tool to analyze this property, and uses it to check countermeasures introduced by compilers.
Two papers that I find remarkable are "The Last Mile: High-Assuranceand High-Speed Cryptographic Implementations" and "EverCrypt: A Fast,Verified, Cross-Platform Crytographic Provider". Both of them provide cryptographic implementations that are functionally correct, protected against side-channels, and as efficient as non-verified cryptographic implementations. I think that these two papers represent a tremendous work and provide a concrete improvement for security.
Finally, the paper that was the most surprising for me was "RAMBleed: Reading Bits in Memory Without Accessing Them" which demonstrates that Rowhammer can be used not just to compromise data integrity, but also to leak data via side channels.
What I liked the most with this remote experience were the public discussions via Slack to which anybody could participate, read, and learn. Especially, on the first day of the conference, a question was asked about whether fuzzing is applicable to liveness properties, which triggered an enlightening discussion with many pointers to good papers.
While reading this discussion, I discovered new things on fuzzing and a very good paper on the evaluation of fuzzing techniques. However, compared to face-to-face events I had fewer "random" interactions and the connections via the donut bot seemed a bit artificial and did not really work for me.
Even though the online chat platform does not fully replace face-to-face interactions, it makes it really easy to have discussions opened for the whole community, and to share links and papers to enrich these discussions. For these reasons, I think that it might be a good idea to set up online chat platforms, even for non-remote events.
It was my first time attending IEEE Symposium on Security and Privacy, and (even if it was online) it was a really great experience because I could participate in discussions and, thanks to the previews, I discovered new topics that wouldn't have caught my attention otherwise. Setting up a virtual conference in such a shorttime was a remarkable achievement by the organizers -- for this I would like to thank them!
Oakland 2020: Thoughts on a Virtual Conference by a Michigan EECS PhD Student
by Julia Lanier
IEEE Security and Privacy 2020 was as good as I could have hoped for as a rising second-year PhD student in embedded security research. While nothing will beat the perks of in-person conferences, this was still a beneficial learning experience. Like all things that have moved online as a result of the pandemic, there were pros and cons.
The biggest challenge for me was understanding presenters with the lack of facial expressions and hand gestures. I never realized how much they contribute to conversation, but I noticed I felt lost more than usual during presentations. Some presenters put a small video overlay on the slides of themselves speaking, which helped tremendously.
Another aspect of the virtual conference that created a challenge: meeting new people. Personally, I think the conference handled this beautifully. Everyday a slack bot would pair up two people who did not know each other and place them in a private slack channel. Participants could submit a list of people they did not want to be paired with as to ensure each pair would be strangers. As imagined, this was more awkward than the organic introductions and conversations that happen at random at these types of gatherings, but I found this to be an inventive and effective solution.
One thing I would like to see improved is the Q&A sessions. After each paper presentation session, a zoom link would automatically pop up taking attendees to the Q&A session. There were a couple issues arising with this process, the first being how short the Q&A sessions were. One perk of being online is that multiple things can happen in parallel, so having such a short Q&A session made me wonder how to improve the opportunity. The second being the throughput of the Q&A sessions due to attendees being muted. While I understand the reasoning behind the forced mute, it took a significant amount of time for an attendee to type the question, the presenter to read the question, comprehend the question, and then provide an answer. Back and forth communication for clarification or expansion was simply impossible, especially because of how short the time limit was. Some of this would have been solved if attendees were required to use the "raise your hand" feature of zoom and then be unmuted to ask their question. Unfortunately, I'm sure different issues would also arise with this alternative approach.
With all of that being said, having an online conference had some amazing benefits! The greatest benefit: accessibility to many people. The affordable cost and easy access allowed more people to attend the conference. Some undergraduate research assistants in my lab were able to attend and would have never been able to afford the travel and registration costs if it were held in person. I would love to see conferences and other similar events be offered both in person and online in the future. I believe IEEE Security and Privacy has created a solid foundation for this. (My PhD advisor Kevin Fu tells me that in ancient history in the 1990s, some security conferences live-cast Q&A on the Mbone using multicast. It was sick.)
Overall, the conference went very smoothly for me. I would not have guessed this was the first time this massive conference was held online. To me, that says everything. I am so grateful to the people who worked behind the scenes and took the time and ensured the conference would be a great experience and go on with minimal hiccups. They did a fantastic job! I am so glad I chose to register and I thoroughly enjoyed attending IEEE Security and Privacy 2020 online.
Bio: Julia Lanier is entering her second year in the Computer Science and Engineering PhD program at the University of Michigan. Her graduate advisor is Prof. Kevin Fu of the SPQR.eecs.umich.edu group. Her interests pertain to hardware and sensor security and VLSI design. In her spare time, she enjoys running, hiking, and playing video games. For more information about her research in embedded security, see julialanier.com.
Having attended IEEE S&P since 1982, I was relieved to learn that the show would go on and we would have the chance to participate in this premier conference during this disruptive time.
The volunteer organizers did a truly phenomenal job of creating a
virtual conference in a very short time (reportedly the decisions was
finalized a mere 6 weeks before the conference?). The conference
104 paper previews
9 Paper Q&A sessions
15 short talks,
9 Test of Time Awards
2 Birds of a Feather sessions
1 Student Mentoring session
1 Technical Committee meeting
All of these had some component of pre recorded video and many also included a live video-based audience participation component. These numbers represent a very significant undertaking. Considering that all of the authors created quality videos and worked with the conference to provide them in a timely manner is a massive cat herding job if I ever saw one.
In addition to managing the presentations, there are also considerable logistics and decisions involved in creating this virtual conference on short notice including the need to work with the IEEE sponsoring organization requirements and constraints as well as contractual issues.
I was impressed by the choices that the committee made regarding platforms, technology, and social engagement on such short notice. The use of On24 as the staging platform for all of the talks and sessions enabled mostly seamless transitions from Webinar based video presentations of pre recorded talks to live Zoom Q&A sessions. The use of Zoom participant hand raise, chats and screen sharing in smaller settings such as poster and Q&A sessions was largely effective. The conference ended up making extensive use of Slack. It was originally set up with some "standard" channels - Conference, General, Tech Support, and a "Hallway Track" however it quickly became the primary communication mechanism for communicating about schedule changes, serving as an alternative site for presentation materials when there were technical difficulties, and a number of discussion channels were created to continue discussions from the Q&A sessions.
The General Chair, Gabriela Ciocarlie, was truly a master of ceremonies and somehow seemed to be in every session and rapidly managed technical difficulties. She and the team of volunteers and staff deserve recognition and gratitude from the community for their service.
Obviously there were technical difficulties, a few talks that did not play at the proper time, sessions running late, failed coordination points, and awkward use of technology in some sessions. As computer scientists and engineers it is easy for us to second guess the decisions that were made and to attempt to engineer a better virtual conference. The organizers for the 2021 conference will have the chance to analyze the lessons learned and to take advantage of the growing wisdom in the community around virtual event planning.
I found the conference interesting, stimulating, and a productive use of time. In fact, I found that I was more focused during the presentations and I got more out of this virtual conference than I have in recent F2F conferences. Of course I truly missed connecting with people. Dave Balenson's text Monday morning joking that he had saved us our usual seats brought tears to my eyes.
2020 IEEE Symposium onSecurity and Privacy From the perspective of a first-time attendee
Dave DeAngelis, USC/ISI
I had the privilege to attend the IEEE Symposium on Security and Privacy (S&P) as an attendee for the first time. Moreover, 2020 was the first year that S&P was held entirely online.
As a researcher returning to the field, I found the opening remarks and the test of time awards particularly valuable. The histogram of accepted paper topics provided a great snapshot of the field, and the test of time awards showcase the most impactful work over many years of S&P.
I was struck by the breadth of the conference. Research covered many topics including those you might expect like microarchitectural security, authentication, and protocols, but also extended to diverse topics such as large platforms to support further cybersecurity experimentation, global anonymity & censorship, and cyber insurance. I particularly enjoyed the Workshop on Technology and Consumer Protection (ConPro '20). This workshop brought together industry, academia, and regulatory bodies in a new and interesting way to discuss topics with an impact on consumers.
The online conference format introduced several challenges, including how to motivate spontaneous interactions that spark new ideas and collaborations. The comprehensive suite of tools including Zoom, Slack, on24, and Youtube was incredibly helpful in holding the conference remotely, encountering only minor technical difficulties. I think the Donut bot that pairs people together randomly for conversations was a great idea, though it seemed other attendees differed in their opinion. A little more prompting or directed matching could help encourage discussion. I was fortunate to have a productive and interesting conversation about industrial control system security with a leader in the field.
Paper session talks were pre-recorded and broadcast to attendees in order to obviate any streaming technical issues and to accommodate presenters based in widely differing time zones, and sessions began with 2 minute short previews of the talks. The pre-recorded format had some unexpected advantages. First, speakers whose native language is not English were more able to script their presentation and provide subtitles if necessary. Secondly, it helped to manage the presentation pace and scope of detail provided. Lastly, it enabled presenters to showcase entertaining production while maintaining rigorous research quality, as shown in the LVI preview presentation.
Like an in-person conference, sessions were scheduled with 3 in parallel, and the sessions were thoughtfully scheduled to minimize the number of conflicts among competing research interests. However, it was very easy to keep all three tracks open simultaneously and seamlessly switch from one "room" to another, and having the videos available on Youtube was enormously helpful.
An indispensable component of an academic conference is lively Q&A, and I think this was handled as well as can be expected by the moderators, participants, and the Zoom platform. The Slack platform and particularly the #hallway-track channels were very useful for discovering others with shared interests and reaching out directly. Slack is great for 1-on-1 conversations or to discuss a topic prescribed in a particular channel. However, spontaneous unmoderated small group conversations are notoriously difficult to facilitate virtually.
Some of the concessions made to facilitate a fully-remote conference would be very welcome even at a traditional live event, including broad access to recorded talks, Slack-like communication tools, and low registration fees for remote participants.
As a final note, I was impressed with the quality and breadth of the research as well as the agility and dedication demonstrated by the organizing committee in hosting a successful and enjoyable conference. Thank you.
Virtual S&P 2020 - a long-timer's view
by Sven Dietrich
After attending S&P (it will always be "Oakland" for me, no matter where it's going to be held) since 1998, I attended it virtually this year to the Covid-19 pandemic. While I have enjoyed the talks at Oakland, the most interesting aspect has always been the personal interaction with my peers, the mentoring of the students or upcoming young researchers/faculty (informally at the breaks and meals, or formally at the speed mentoring sessions that I participated in the last few years), and the hallway track. And the wandering off in cliques to nearby dinner restaurants and regrouping at the hotel bar or for those who remember, in Room 606.
Forced to make the best of the situation, the organizing committee did some serious heavy lifting and put together a mixed platform that attracted close to 2000 registrants, but perhaps much less attended at the same time. The Oakland talks were pre-recorded by the paper authors and its teaser talks could be pre-viewed the day of the talks. There were three major components to the virtual presence: the web videos linked off the program on the conference website, Zoom videoconferencing (both in webinar and in meeting modes) for Q&A sessions, BoFs, and workshop sessions, and Slack as a backchannel between them all. There was a virtual hallway track on Slack, and many Slack channels for the conference locations, plus topic-centric hallway tracks. There were multiple tracks to Oakland, up to three that I could count, which made it harder to split my time. To list all the talks I listened to and enjoyed would exceed the space to talk about here, but the ones that fostered discussions among the participants were the most rewarding.
Managing all these channels on top of a regular work day was a bit challenging. Since I wasn't "away" for the conference as I normally would, I still had to tend to my normal day-to-day meetings and interactions and missed a few talks in the process. Of course I could go back to the talks once they had been presented, but the key part is the ability to ask questions at the end of the talk. One would have needed an additional laptop (or desktop) to manage just the Oakland conference, while still keeping up with the other audio/video demands on the viewer's time.
Nevertheless, I enjoyed the Oakland virtual conference as a good substitute under the circumstances. While I did catch up with a few long-time colleagues in the hallway track and in the session, I am looking forward to returning to the real, in-person conference. What I do miss is the scene: who is there to listen to the talks and interact with them. When in webinar mode, the conference is in consumer mode: one sees the moderator, the presenters (called panelists in Zoom webinar speak), but not who else is attending. When some sessions switched to meeting mode, one could see who was there and was asking questions, perhaps chat with them later on Zoom, or catch them in the Slack #hallway-track.
And I had just run SADFE, the digital forensics workshop turned conference, a few days before Oakland using Zoom. I had chosen Zoom meeting mode over the webinar mode for the same reason I experienced at Oakland: the desire to see and be seen.
I look forward to seeing future instantiations of Oakland, whichever form they may take on, but I will always be true to the classic.
I tip my hat to the organizing committee this year: job well done!
Sven Dietrich's review of Computer Security and the Internet: Tool and Jewels by Paul C. can Oorschot
NewsBits: Announcements and correspondence from readers (please contribute!)
Listing of academic positions available by
Conference and Workshop Announcements
Cipher calendar announcements are on Twitter; follow "ciphernews"
Requests for inclusion in the list should sent per instructions.
new calls or announcements added since Cipher E154 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update):
Staying in touch....
IEEE Computer Society's Technical Committee on Security and Privacy
|TC home page||TC Officers|
|How to join the TCSP (or other TCs)||Open Access Proceedings|
|Cipher past issues archive|