MAY 23-27, 2021 AT THE HYATT REGENCY, SAN FRANCISCO, CA
42nd IEEE Symposium on
Security and Privacy
Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems.
Topics of interest include:
This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings.
Based on the experience in the past two years, the reviewing process for IEEE S&P is changed to a quarterly submission model. Within 2.5 months of submission, author notifications of Accept/Revise/Reject decisions will be sent out. For each submission, one of the following decisions will be made:
Accept: Papers in this category will be accepted for publication in the proceedings and presentation at the conference, possibly after making minor changes with the oversight of a shepherd. Within one month of acceptance, all accepted papers must submit a camera-ready copy incorporating reviewer feedback. The papers will immediately be published, open access, in the Computer Society’s Digital Library, and they may be cited as “To appear in the IEEE Symposium on Security & Privacy, May 2021”.
Revise: A limited number of papers will be invited to submit a revision; such papers will receive a specific set of expectations to be met by that revision. Authors can submit a revised paper to the next two quarterly submission deadlines after the notification. The authors should clearly explain in a well-marked appendix how the revisions address the comments of the reviewers. The revised paper will then be re-evaluated, and either accepted or rejected.
Reject: Papers in this category are declined for inclusion in the conference. Rejected papers must wait for one year, from the date of original submission, to resubmit to IEEE S&P. A paper will be judged to be a resubmit (as opposed to a new submission) if the paper is from the same or similar authors, and a reviewer could write a substantially similar summary of the paper compared with the original submission. As a rule of thumb, if there is more than 40% overlap between the original submission and the new paper, it will be considered a resubmission.
All papers accepted by February 21, 2021 will appear in the proceedings of the symposium in May 2021 and invited to present their work. These include papers that were submitted in December 2020 and were accepted without revision, or papers that were submitted by June 2020, got the Revise decision, and resubmitted the revised paper in December.
All deadlines are 23:59:59 AoE (UTC-12).
As described above, some number of papers will receive a Revise decision, rather than Accept or Reject. This decision will be accompanied by a detailed summary of the expectations for the revision, in addition to the standard reviewer comments. The authors may prepare a revision, which may include running additional experiments, improving the paper’s presentation, or other such improvements. Papers meeting the expectations will typically be accepted. Those that do not will be rejected. Only in exceptional circumstances will additional revisions be requested. Upon receiving a Revise decision, authors can choose to withdraw their paper or not submit a revision, but they will be asked to not submit the same or similar work again (following the same rules as for Rejected papers) for one year from the date of the original submission. Authors can submit a revised paper to the next two quarterly submission deadlines after the notification. Revisions must be accompanied by a summary of the changes that were made.
Statistics on the submissions and decisions will be published once the first review period has finished.
These instructions apply to both the research papers and systematization of knowledge papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.
Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review.
While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper online, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to contact directly the program committee members to discuss their submission.
The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.
During submission of a research paper, the submission site will request information about conflicts of interest of the paper's authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:
For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.
Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days [https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy] to 90 days [https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html] ahead of publication is consistent with authors’ ethical obligations.
The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Submissions that describe experiments on human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:
If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. The same applies to camera-ready papers, although, at the PC chairs’ discretion, additional pages may be allowed for references and appendices. Reviewers are not required to read appendices.
Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8b. All submissions will be automatically checked for conformance to these requirements. Failure to adhere to the page limit and formatting requirements are grounds for rejection without review.
For papers that were previously submitted to, and rejected from, another conference, authors are required to submit a separate document containing the prior reviews along with a description of how those reviews were addressed in the current version of the paper. Authors are only required to include reviews from the last time the paper was submitted. Reviewers will be asked to complete their reviews before reading the provided supplementary material to avoid being biased in formulating their own opinions; once their reviews are complete, however, reviewers will be given the opportunity to provide additional comments based on the submission history of the paper. Authors who try to circumvent this rule (e.g., by changing the title of the paper without significantly changing the contents) may have their papers rejected without further consideration, at the discretion of the PC chairs.
Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.
Papers must be submitted at: https://oakland21-spring.syssec.rub.de/hotcrp/
Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to present the paper at the conference.
|Alina Oprea||Northeastern University|
|Thorsten Holz||Ruhr-Universität Bochum|
|Adam Aviv||The George Washington University|
|Battista Biggio||University of Cagliari|
|Joseph Bonneau||New York University|
|Ioana Boureanu||University of Surrey|
|Billy Brumley||Tampere University|
|Chris Brzuska||Aalto University|
|Kevin Butler||University of Florida|
|Brent Byunghoon Kang||Korea Advanced Institute of Science and Technology (KAIST)|
|Srdjan Capkun||ETH Zurich|
|Lorenzo Cavallaro||King's College London|
|Melissa Chase||Microsoft Research|
|Rahul Chatterjee||University of Wisconsin-Madison|
|Nicolas Christin||Carnegie Mellon University|
|Henry Corrigan-Gibbs||EPFL and MIT CSAIL|
|Manuel Costa||Microsoft Research|
|Cas Cremers||CISPA Helmholtz Center for Information Security|
|Weidong Cui||Microsoft Research|
|Rachel Cummings||Georgia Institute of Technology|
|Anupam Das||North Carolina State University|
|Emiliano De Cristofaro||University College London|
|Brendan Dolan-Gavitt||New York University|
|Adam Doupé||Arizona State University|
|Markus Dürmuth||Ruhr-Universität Bochum|
|Giulia Fanti||Carnegie Mellon University|
|Sebastian Faust||TU Darmstadt|
|Kassem Fawaz||University of Wisconsin-Madison|
|Anders Fogh||Intel Corporation|
|Michael Franz||UC Irvine|
|Matt Fredrikson||Carnegie Mellon University|
|Neil Gong||Duke University|
|Guofei Gu||Texas A&M University|
|Andreas Haeberlen||University of Pennsylvania|
|Matthew Hicks||Virginia Tech|
|Amir Houmansadr||UMass Amherst|
|Suman Jana||Columbia University|
|Limin Jia||Carnegie Mellon University|
|Aniket Kate||Purdue University|
|Stefan Katzenbeisser||University of Passau|
|Yongdae Kim||Korea Advanced Institute of Science and Technology (KAIST)|
|David Kohlbrenner||UC Berkeley|
|Katharina Krombholz||CISPA Helmholtz Center for Information Security|
|Ralf Kuesters||University of Stuttgart|
|Boris Köpf||Microsoft Research|
|Xiaojing Liao||Indiana University Bloomington|
|Martina Lindorfer||TU Wien|
|Matteo Maffei||TU Wien|
|Sergio Maffeis||Imperial College London|
|Clèmentine Maurice||CNRS, IRISA|
|Michelle Mazurek||University of Maryland|
|Andrew Miller||University of Illinois at Urbana-Champaign|
|Nick Nikiforakis||Stony Brook University|
|Yossi Oren||Ben-Gurion University|
|Nicolas Papernot||University of Toronto and Vector Institute|
|Paul Pearce||Georgia Tech and ICSI|
|Marcus Peinado||Microsoft Research|
|Giancarlo Pellegrino||CISPA Helmholtz Center for Information Security|
|Roberto Perdisci||University of Georgia|
|Frank Piessens||KU Leuven|
|Michalis Polychronakis||Stony Brook University|
|Christina Pöpper||New York University Abu Dhabi|
|Zhiyun Qian||UC Riverside|
|Aanjhan Ranganathan||Northeastern University|
|Kasper Rasmussen||University of Oxford|
|Konrad Rieck||TU Braunschweig|
|William Robertson||Northeastern University|
|Christian Rossow||CISPA Helmholtz Center for Information Security|
|Andrei Sabelfeld||Chalmers University of Technology|
|Vyas Sekar||Carnegie Mellon University|
|Simha Sethumadhavan||Columbia University/Chip Scan|
|Srinath Setty||Microsoft Research|
|Hovav Shacham||The University of Texas at Austin|
|Emily Shen||MIT Lincoln Laboratory|
|Reza Shokri||National University of Singapore (NUS)|
|Yan Shoshitaishvili||Arizona State University|
|Deian Stefan||UC San Diego|
|Ben Stock||CISPA Helmholtz Center for Information Security|
|Gang Tan||Penn State University|
|Yuan Tian||University of Virginia|
|Jonathan Ullman||Northeastern University|
|Selcuk Uluagac||Florida International University|
|Blase Ur||University of Chicago|
|Thyla van der Merwe||Mozilla|
|Xiao Wang||Northwestern University|
|Yuval Yarom||University of Adelaide and Data61|
|Yanfang Ye||Case Western Reserve University|
|Fengwei Zhang||Southern University of Science and Technology (SUSTech)|
|Ben Zhao||University of Chicago|
|Yajin Zhou||Zhejiang University|