43rd IEEE Symposium on
Security and Privacy

Call For Papers

Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Theoretical papers must make a convincing case for the relevance of their results to practice.

Topics of interest include:

This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.

Systematization of Knowledge Papers

As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. You can find an overview of recent SoK papers at

Submission Deadlines & Decisions

Based on the experience in the past three years, the reviewing process for IEEE S&P is changed to three submission deadlines. For each submission, one of the following decisions will be made:

All papers accepted by March 4, 2022 will appear in the proceedings of the symposium in May 2022 and invited to present their work. These include for example papers that were submitted in December 2021 and were accepted without revision, or papers that were submitted in April 2021, got the Major Revision decision, and resubmitted the revised paper in August or December.

Important Dates

All deadlines are 23:59:59 AoE (UTC-12).

First deadline

Second deadline

Third deadline

Rebuttal Period

We will introduce a rebuttal period during which authors have the opportunity to exchange messages with the reviewers and respond to questions asked. To this end, we will use HotCRP’s anonymous communication feature to enable a communication channel between authors and reviewers. The authors should mainly focus on factual errors in the reviews and concrete questions posed by the reviewers. New research results can also be discussed if they help to clarify open questions. More instructions will be sent out to the authors at the beginning of the rebuttal period.

Major Revision Submissions & Rejected Papers

As described above, some number of papers will receive a Major Revision decision, rather than Accept or Reject. This decision will be accompanied by a detailed summary of the expectations for the revision, in addition to the standard reviewer comments. The authors may prepare a major revision, which may include running additional experiments, improving the paper’s presentation, or other such improvements. Papers meeting the expectations will typically be accepted. Those that do not will be rejected. Only in exceptional circumstances will additional revisions be requested. Authors can submit a revised paper to the next two submission deadlines after the notification. Upon receiving a Major Revision decision, authors can choose to withdraw their paper or not submit a revision, but they will be asked to not submit the same or similar work again (following the same rules as for Rejected papers) for 1 year from the date of the original submission. The table below summarizes the eligible 2022 deadlines for papers that received a revise decision or reject decision for a paper submitted to IEEE S&P’21 for each of the four 2021 cycles.

2021 deadlines Revise decision
Eligible 2022 deadlines
Reject decision
Eligible 2022 deadlines
Spring 2020
(March 5, 2020)
None Any 2021 deadline
Summer 2020
(June 4, 2020)
None Second deadline
(Aug 19, 2021)
Third deadline
(Dec 2, 2021)
Fall 2020
(Sep 3, 2020)
First deadline
(April 15, 2021)
Third deadline
(Dec 2, 2021)
Winter 2020
(Dec 3, 2020)
First deadline
(April 15, 2021)
Second deadline
(Aug 19, 2021)
Third deadline
(Dec 2, 2021)

Instructions for Paper Submission

These instructions apply to both the research papers and systematization of knowledge (SoK) papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.

Anonymous Submission

Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in the third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review. PC members who have a genuine conflict of interest with a paper, including the PC Co-Chairs and the Associate Chairs, will be excluded from evaluation and discussion of that paper.

While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper to an archival repository such as arXiv, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to directly contact PC members to discuss their submission.

The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.

Conflicts of Interest

During submission of a research paper, the submission site will request information about conflicts of interest of the paper's authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:

  1. The PC member is a co-author of the paper.

  2. The PC member has been a co-worker in the same company or university within the past two years.
    • For student interns, the student is conflicted with their supervisors and with members of the same research group. If the student no longer works for the organization, then they are not conflicted with a PC member from the larger organization.
  3. The PC member has been a collaborator within the past two years.

  4. The PC member is or was the author's primary thesis advisor, no matter how long ago.

  5. The author is or was the PC member's primary thesis advisor, no matter how long ago.

  6. The PC member is a relative or close personal friend of the author.

For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. The program chairs will review declared conflicts. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.

Research Ethics Committee

New to Oakland 2022 is a research ethics committee (REC) that will check papers flagged by reviewers as potentially including ethically fraught research. The REC will review flagged papers and may suggest to the PC Chairs rejection of a paper on ethical grounds. The REC consists of members of the PC. Authors are encouraged to review the Menlo Report for general ethical guidelines for computer and information security research.

Ethical Considerations for Vulnerability Disclosure

Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days to 90 days ahead of publication is consistent with authors’ ethical obligations.

Longer disclosure windows (which may keep vulnerabilities from the public for extended periods of time) should only be considered in exceptional situations, e.g., if the affected parties have provided convincing evidence the vulnerabilities were previously unknown and the full rollout of mitigations requires additional time. The authors are encouraged to consult with the PC chairs in case of questions or concerns.

The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.

Ethical Considerations for Human Subjects Research

Submissions that describe experiments that could be viewed as involving human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:

  1. Disclose whether the research received an approval or waiver from each of the authors' institutional ethics review boards (IRB) if applicable.
  2. Discuss steps taken to ensure that participants and others who might have been affected by an experiment were treated ethically and with respect.

If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.

Financial and Non-financial competing interests

In the interests of transparency and to help readers form their own judgements of potential bias, the IEEE Symposium on Security & Privacy requires authors and PC members to declare any competing financial and/or non-financial interests in relation to the work described. Authors need to include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example, "Author X is on the Technical Advisory Board of the ByteCoin Foundation," or "Professor Y is the CTO of DoubleDefense, which specializes in malware analysis." More information regarding this policy is available here.

Reviews from Prior Submissions

For papers that were previously submitted to, and rejected from, another conference, authors are required to submit a separate document containing the prior reviews along with a description of how those reviews were addressed in the current version of the paper. Authors are only required to include reviews from the last time the paper was submitted. Reviewers will only see the provided supplementary material after finishing their own review to avoid being biased in formulating their own opinions; once their reviews are complete, however, reviewers will be given the opportunity to provide additional comments based on the submission history of the paper. Authors who try to circumvent this rule (e.g., by changing the title of the paper without significantly changing the contents) may have their papers rejected without further consideration, at the discretion of the PC chairs.

Page Limit and Formatting

Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. The same applies to camera-ready papers, although, at the PC chairs’ discretion, additional pages may be allowed for references and appendices. Reviewers are not required to read appendices.

Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8b. All submissions will be automatically checked for conformance to these requirements. Failure to adhere to the page limit and formatting requirements are grounds for rejection without review.

Conference Submission Server

Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.

Publication and Presentation

Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to present the paper at the conference.

Program Committee

PC Chairs

Thorsten Holz Ruhr-Universität Bochum
Thomas Ristenpart Cornell University

Associate Chairs

Joseph Bonneau New York University
Cristiano Giuffrida Vrije Universiteit Amsterdam
Zakir Durumeric Stanford University
Nicolas Papernot University of Toronto and Vector Institute
Emily Stark Google
Andrei Sabelfeld Chalmers University of Technology

PC Members

Abhradeep Guha Thakurta Google Research - Brain
Adria Gascon Google LLC
Ahmad-Reza Sadeghi TU Darmstadt
Alexandra Dmitrienko University of Wuerzburg
Alice Hutchings University of Cambridge
Andrew Myers Cornell University
Andrew Paverd Microsoft Research
Anil Kurmus IBM Research Europe
Anja Lehmann Hasso-Plattner-Institute, University of Potsdam
Ariel Herbert-Voss OpenAI and Harvard
Antonio Bianchi Purdue University
Arthur Gervais Imperial College London
Aurélien Francillon EURECOM
Battista Biggio University of Cagliari
Ben Y. Zhao University of Chicago
Billy Brumley Tampere University
Boris Köpf Microsoft Research
Brendan Saltaformaggio Georgia Institute of Technology
Brent ByungHoon Kang KAIST
Cas Cremers CISPA Helmholtz Center for Information Security
Chengyu Song UC Riverside
Chris Brzuska Aalto University
Christian Cachin University of Bern
Christian Rossow CISPA Helmholtz Center for Information Security
Christian Wachsmann Intel Corporation
Christian Wressnegger Karlsruhe Institute of Technology (KIT)
Christina Poepper New York University Abu Dhabi
Christopher Fletcher University of Illinois--Urbana Champaign
Christopher Kruegel University of California, Santa Barbara
Clémentine Maurice Univ Lille, CNRS, Inria
Cristiano Giuffrida Vrije Universiteit Amsterdam
Cristina Nita-Rotaru Northeastern University
Cynthia Sturton University of North Carolina at Chapel Hill
Danny Yuxing Huang New York University
David Cash University of Chicago
David Choffnes Northeastern University
David Kohlbrenner University of Washington
David Lie Univ. Toronto
Davide Balzarotti EURECOM
Devdatta Akhawe Figma
Elissa Redmiles Max Planck Institute for Software Systems
Emiliano De Cristofaro UCL
Emily Shen MIT Lincoln Laboratory
Emily Stark Google Inc.
Engin Kirda Northeastern University
Eric Bodden Heinz Nixdorf Institute at Paderborn University & Fraunhofer IEM
Fabio Pierazzi King's College London
Feargus Pendlebury Royal Holloway, University of London
Fengwei Zhang Southern University of Science and Technology (SUSTech)
Florian Tramèr Stanford University
Frank Li Georgia Institute of Technology
Fraser Brown Stanford University
Gang Tan Penn State
Gang Wang University of Illinois at Urbana-Champaign
Giancarlo Pellegrino CISPA Helmholtz Center for Information Security
Gianluca Stringhini Boston University
Gilles Barthe MPI-SP and IMDEA Software Institute
Giovanni Cherubin Alan Turing Institute
Giulio Malavolta Max Planck Institute for Security and Privacy
Grant Ho UC San Diego
Gururaj Saileshwar Georgia Institute of Technology
Heng Yin UC Riverside
Henry Corrigan-Gibbs MIT CSAIL
Herbert Bos Vrije Universiteit Amsterdam
Hovav Shacham The University of Texas at Austin
Ioana Boureanu Univ. of Surrey, Surrey Centre for Cyber Security
Iulia Ion Google
Jason Polakis University of Illinois at Chicago
Jean-Pierre Seifert TU Berlin
Jeremiah Blocki Purdue University
Johannes Kinder Bundeswehr University Munich
Jon McCune Google
Jörg Schwenk Ruhr-University Bochum
Joseph Bonneau New York University
Juan Caballero IMDEA Software Institute
Jun Xu Stevens Institute of Technology
Juraj Somorovsky University Paderborn
Kai Chen Institute of Information Engineering, Chinese Academy of Sciences, China
Karthikeyan Bhargavan INRIA
Kassem Fawaz University of Wisconsin-Madison
Katharina Kohls Radboud University
Katharina Krombholz CISPA Helmholtz Center for Information Security
Kaveh Razavi ETH Zurich
Kevin Borgolte TU Delft
Leyla Bilge NortonLifeLock Research Group
Limin Jia CMU
Long Lu Northeastern University
Lorenzo Cavallaro University College London
Luca Invernizzi Google
Lucas Davi University of Duisburg-Essen
Manuel Egele Boston University
Marco Guarnieri IMDEA Software Institute
Marcus Peinado Microsoft Research
Marie Vasek University College London
Mario Fritz CISPA Helmholtz Center for Information Security
Markulf Kohlweiss University of Edinburgh, IOHK
Markus Duermuth Ruhr-University Bochum
Martin Johns TU Braunschweig
Mathias Lecuyer Microsoft Research
Matteo Maffei TU Wien
Matthias Neugschwandtner Oracle Labs
McKenna McCall Carnegie Mellon University
Michael Hicks University of Maryland
Nathan Dautenhahn Rice University
Neil Gong Duke University
Nicholas Carlini Google Brain
Nick Hopper University of Minnesota
Nicolas Papernot University of Toronto
Ninghui Li Purdue University
Olya Ohrimenko University of Melbourne
Omar Chowdhury The University of Iowa
Pardis Emami-Naeini University of Washington
Patrick McDaniel Penn State University
Patrick Traynor University of Florida
Paul Grubbs U Michigan
Paul Pearce Georgia Tech; International Computer Science Institute
Pedro Fonseca Purdue University
Pedro Moreno-Sanchez IMDEA Software Institute
Peter Schwabe MPI-SP & Radboud University
Qi Li Tsinghua University
Rahul Chatterjee University of Wisconsin--Madison
Riad Wahby Stanford University
Riccardo Paccagnella University of Illinois at Urbana-Champaign
Sam King UC Davis and Bouncer Technologies
Sarah Meiklejohn University College London / Google
Sascha Fahl CISPA Helmholtz Center for Information Security
Sebastian Angel University of Pennsylvania
Sebastian Faust Technische Universität Darmstadt
Sophie Schmieg Google
Srdjan Capkun ETH Zuerich
Srinath Setty Microsoft Research
Stefan Brunthaler μCSRL, CODE Research Institute, Bundeswehr University Munich
Stefano Tessaro University of Washington
Sunoo Park Cornell Tech
Sven Bugiel CISPA Helmholtz Center for Information Security
Taesoo Kim Georgia Institute of Technology
Tamara Rezk INRIA Sophia-Antipolis
Thomas Eisenbarth University of Lübeck
Thomas Ristenpart chair Cornell Tech
Thorsten Holz chair CISPA Helmholtz Center for Information Security
Thorsten Strufe Karlsruhe Institute of Technology and CeTI/TU Dresden
Tibor Jager Bergische Universität Wuppertal
Tiffany Bao Arizona State University
Tobias Fiebig TU Delft
Trevor Perrin Independent
Tudor Dumitras University of Maryland
Vasileios Kemerlis Brown University
Véronique Cortier Loria (CNRS, France)
Vincent Bindschaedler University of Florida
Wenyuan Xu Zhejiang University
XiaoFeng Wang Indiana University Bloomington
Xiaojing Liao Indiana University Bloomington
Xinyu Xing Pennsylvania State University
Yajin Zhou Zhejiang University
Yan Shoshitaishvili Arizona State University
Yanfang (Fanny) Ye Case Western Reserve University
Yasemin Acar Max Planck Institute for Security and Privacy
Yinqian Zhang Southern University of Science and Technology
Yongdae Kim KAIST
Yossi Oren Ben-Gurion University of the Negev
Yuan Tian University of Virginia
Yuan Zhang Fudan University
Yuval Yarom University of Adelaide
Zakir Durumeric Stanford University
Zhiqiang Lin Ohio State University
Zubair Shafiq University of California, Davis

Steering Committee

Ulfar Erlingsson (TC Chair)Lacework
Christopher KruegelUC Santa Barbara
Alina OpreaNortheastern University
Bryan Parno (TC Vice Chair)Carnegie Mellon University
Sean PeisertUC Davis
Michael ReiterDuke University
Hovav ShachamUniversity of Texas at Austin
Greg ShannonCarnegie Mellon University and the Cybersecurity Manufacturing Innovation Institute
Carmela TroncosoEPFL