MAY 23-26, 2022 AT THE HYATT REGENCY, SAN FRANCISCO, CA, & ONLINE
43rd IEEE Symposium on
Security and Privacy
Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Theoretical papers must make a convincing case for the relevance of their results to practice.
Topics of interest include:
This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. You can find an overview of recent SoK papers at https://oaklandsok.github.io/.
Based on the experience in the past three years, the reviewing process for IEEE S&P is changed to three submission deadlines. For each submission, one of the following decisions will be made:
Accept: Papers in this category will be accepted for publication in the proceedings and presentation at the conference, possibly after making minor changes with the oversight of a shepherd (Minor Revision). Within one month of acceptance, all accepted papers must submit a camera-ready copy incorporating reviewer feedback. The papers will immediately be published, open access, in the Computer Society’s Digital Library, and they may be cited as “To appear in the IEEE Symposium on Security & Privacy, May 2022”.
Major Revision: A limited number of papers will be invited to submit a major revision; such papers will receive a specific set of expectations to be met by that revision. Authors can submit a revised paper to the next two submission deadlines after the notification. The authors should clearly explain in a well-marked appendix how the revisions address the comments of the reviewers. The revised paper will then be re-evaluated, and either accepted or rejected. We will try to assign the same set of reviewers.
Reject: Papers in this category are declined for inclusion in the conference. Rejected papers must wait for one year, from the date of original submission, to resubmit to IEEE S&P. A paper will be judged to be a resubmit (as opposed to a new submission) if the paper is from the same or similar authors, and a reviewer could write a substantially similar summary of the paper compared with the original submission. As a rule of thumb, if there is more than 40% overlap between the original submission and the new paper, it will be considered a resubmission.
All papers accepted by March 4, 2022 will appear in the proceedings of the symposium in May 2022 and invited to present their work. These include for example papers that were submitted in December 2021 and were accepted without revision, or papers that were submitted in April 2021, got the Major Revision decision, and resubmitted the revised paper in August or December.
All deadlines are 23:59:59 AoE (UTC-12).
We will introduce a rebuttal period during which authors have the opportunity to exchange messages with the reviewers and respond to questions asked. To this end, we will use HotCRP’s anonymous communication feature to enable a communication channel between authors and reviewers. The authors should mainly focus on factual errors in the reviews and concrete questions posed by the reviewers. New research results can also be discussed if they help to clarify open questions. More instructions will be sent out to the authors at the beginning of the rebuttal period.
As described above, some number of papers will receive a Major Revision decision, rather than Accept or Reject. This decision will be accompanied by a detailed summary of the expectations for the revision, in addition to the standard reviewer comments. The authors may prepare a major revision, which may include running additional experiments, improving the paper’s presentation, or other such improvements. Papers meeting the expectations will typically be accepted. Those that do not will be rejected. Only in exceptional circumstances will additional revisions be requested. Authors can submit a revised paper to the next two submission deadlines after the notification. Upon receiving a Major Revision decision, authors can choose to withdraw their paper or not submit a revision, but they will be asked to not submit the same or similar work again (following the same rules as for Rejected papers) for 1 year from the date of the original submission. The table below summarizes the eligible 2022 deadlines for papers that received a revise decision or reject decision for a paper submitted to IEEE S&P’21 for each of the four 2021 cycles.
| 2021 deadlines | Revise decision Eligible 2022 deadlines |
Reject decision Eligible 2022 deadlines |
| Spring 2020 (March 5, 2020) |
None | Any 2021 deadline |
| Summer 2020 (June 4, 2020) |
None | Second deadline (Aug 19, 2021) Third deadline (Dec 2, 2021) |
| Fall 2020 (Sep 3, 2020) |
First deadline (April 15, 2021) |
Third deadline (Dec 2, 2021) |
| Winter 2020 (Dec 3, 2020) |
First deadline (April 15, 2021) Second deadline (Aug 19, 2021) |
Third deadline (Dec 2, 2021) |
These instructions apply to both the research papers and systematization of knowledge (SoK) papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.
Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in the third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review. PC members who have a genuine conflict of interest with a paper, including the PC Co-Chairs and the Associate Chairs, will be excluded from evaluation and discussion of that paper.
While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper to an archival repository such as arXiv, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to directly contact PC members to discuss their submission.
The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.
During submission of a research paper, the submission site will request information about conflicts of interest of the paper's authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:
The PC member is a co-author of the paper.
The PC member has been a collaborator within the past two years.
The PC member is or was the author's primary thesis advisor, no matter how long ago.
The author is or was the PC member's primary thesis advisor, no matter how long ago.
For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. The program chairs will review declared conflicts. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.
New to Oakland 2022 is a research ethics committee (REC) that will check papers flagged by reviewers as potentially including ethically fraught research. The REC will review flagged papers and may suggest to the PC Chairs rejection of a paper on ethical grounds. The REC consists of members of the PC. Authors are encouraged to review the Menlo Report for general ethical guidelines for computer and information security research.
Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy to 90 days https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html ahead of publication is consistent with authors’ ethical obligations.
Longer disclosure windows (which may keep vulnerabilities from the public for extended periods of time) should only be considered in exceptional situations, e.g., if the affected parties have provided convincing evidence the vulnerabilities were previously unknown and the full rollout of mitigations requires additional time. The authors are encouraged to consult with the PC chairs in case of questions or concerns.
The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Submissions that describe experiments that could be viewed as involving human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:
If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
In the interests of transparency and to help readers form their own judgements of potential bias, the IEEE Symposium on Security & Privacy requires authors and PC members to declare any competing financial and/or non-financial interests in relation to the work described. Authors need to include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example, "Author X is on the Technical Advisory Board of the ByteCoin Foundation," or "Professor Y is the CTO of DoubleDefense, which specializes in malware analysis." More information regarding this policy is available here.
For papers that were previously submitted to, and rejected from, another conference, authors are required to submit a separate document containing the prior reviews along with a description of how those reviews were addressed in the current version of the paper. Authors are only required to include reviews from the last time the paper was submitted. Reviewers will only see the provided supplementary material after finishing their own review to avoid being biased in formulating their own opinions; once their reviews are complete, however, reviewers will be given the opportunity to provide additional comments based on the submission history of the paper. Authors who try to circumvent this rule (e.g., by changing the title of the paper without significantly changing the contents) may have their papers rejected without further consideration, at the discretion of the PC chairs.
Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. The same applies to camera-ready papers, although, at the PC chairs’ discretion, additional pages may be allowed for references and appendices. Reviewers are not required to read appendices.
Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8b. All submissions will be automatically checked for conformance to these requirements. Failure to adhere to the page limit and formatting requirements are grounds for rejection without review.
Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.
Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to present the paper at the conference.
| Thorsten Holz | Ruhr-Universität Bochum |
| Thomas Ristenpart | Cornell University |
| Joseph Bonneau | New York University |
| Cristiano Giuffrida | Vrije Universiteit Amsterdam |
| Zakir Durumeric | Stanford University |
| Nicolas Papernot | University of Toronto and Vector Institute |
| Emily Stark | |
| Andrei Sabelfeld | Chalmers University of Technology |
| Abhradeep Guha Thakurta | Google Research - Brain |
| Adria Gascon | Google LLC |
| Ahmad-Reza Sadeghi | TU Darmstadt |
| Alexandra Dmitrienko | University of Wuerzburg |
| Alice Hutchings | University of Cambridge |
| Andrew Myers | Cornell University |
| Andrew Paverd | Microsoft Research |
| Anil Kurmus | IBM Research Europe |
| Anja Lehmann | Hasso-Plattner-Institute, University of Potsdam |
| Ariel Herbert-Voss | OpenAI and Harvard |
| Antonio Bianchi | Purdue University |
| Arthur Gervais | Imperial College London |
| Aurélien Francillon | EURECOM |
| Battista Biggio | University of Cagliari |
| Ben Y. Zhao | University of Chicago |
| Billy Brumley | Tampere University |
| Boris Köpf | Microsoft Research |
| Brendan Saltaformaggio | Georgia Institute of Technology |
| Brent ByungHoon Kang | KAIST |
| Cas Cremers | CISPA Helmholtz Center for Information Security |
| Chengyu Song | UC Riverside |
| Chris Brzuska | Aalto University |
| Christian Cachin | University of Bern |
| Christian Rossow | CISPA Helmholtz Center for Information Security |
| Christian Wachsmann | Intel Corporation |
| Christian Wressnegger | Karlsruhe Institute of Technology (KIT) |
| Christina Poepper | New York University Abu Dhabi |
| Christopher Fletcher | University of Illinois--Urbana Champaign |
| Christopher Kruegel | University of California, Santa Barbara |
| Clémentine Maurice | Univ Lille, CNRS, Inria |
| Cristiano Giuffrida | Vrije Universiteit Amsterdam |
| Cristina Nita-Rotaru | Northeastern University |
| Cynthia Sturton | University of North Carolina at Chapel Hill |
| Danny Yuxing Huang | New York University |
| David Cash | University of Chicago |
| David Choffnes | Northeastern University |
| David Kohlbrenner | University of Washington |
| David Lie | Univ. Toronto |
| Davide Balzarotti | EURECOM |
| Devdatta Akhawe | Figma |
| Elissa Redmiles | Max Planck Institute for Software Systems |
| Emiliano De Cristofaro | UCL |
| Emily Shen | MIT Lincoln Laboratory |
| Emily Stark | Google Inc. |
| Engin Kirda | Northeastern University |
| Eric Bodden | Heinz Nixdorf Institute at Paderborn University & Fraunhofer IEM |
| Fabio Pierazzi | King's College London |
| Feargus Pendlebury | Royal Holloway, University of London |
| Fengwei Zhang | Southern University of Science and Technology (SUSTech) |
| Florian Tramèr | Stanford University |
| Frank Li | Georgia Institute of Technology |
| Fraser Brown | Stanford University |
| Gang Tan | Penn State |
| Gang Wang | University of Illinois at Urbana-Champaign |
| Giancarlo Pellegrino | CISPA Helmholtz Center for Information Security |
| Gianluca Stringhini | Boston University |
| Gilles Barthe | MPI-SP and IMDEA Software Institute |
| Giovanni Cherubin | Alan Turing Institute |
| Giulio Malavolta | Max Planck Institute for Security and Privacy |
| Grant Ho | UC San Diego |
| Gururaj Saileshwar | Georgia Institute of Technology |
| Heng Yin | UC Riverside |
| Henry Corrigan-Gibbs | MIT CSAIL |
| Herbert Bos | Vrije Universiteit Amsterdam |
| Hovav Shacham | The University of Texas at Austin |
| Ioana Boureanu | Univ. of Surrey, Surrey Centre for Cyber Security |
| Iulia Ion | |
| Jason Polakis | University of Illinois at Chicago |
| Jean-Pierre Seifert | TU Berlin |
| Jeremiah Blocki | Purdue University |
| Johannes Kinder | Bundeswehr University Munich |
| Jon McCune | |
| Jörg Schwenk | Ruhr-University Bochum |
| Joseph Bonneau | New York University |
| Juan Caballero | IMDEA Software Institute |
| Jun Xu | Stevens Institute of Technology |
| Juraj Somorovsky | University Paderborn |
| Kai Chen | Institute of Information Engineering, Chinese Academy of Sciences, China |
| Karthikeyan Bhargavan | INRIA |
| Kassem Fawaz | University of Wisconsin-Madison |
| Katharina Kohls | Radboud University |
| Katharina Krombholz | CISPA Helmholtz Center for Information Security |
| Kaveh Razavi | ETH Zurich |
| Kevin Borgolte | TU Delft |
| Leyla Bilge | NortonLifeLock Research Group |
| Limin Jia | CMU |
| Long Lu | Northeastern University |
| Lorenzo Cavallaro | University College London |
| Luca Invernizzi | |
| Lucas Davi | University of Duisburg-Essen |
| Manuel Egele | Boston University |
| Marco Guarnieri | IMDEA Software Institute |
| Marcus Peinado | Microsoft Research |
| Marie Vasek | University College London |
| Mario Fritz | CISPA Helmholtz Center for Information Security |
| Markulf Kohlweiss | University of Edinburgh, IOHK |
| Markus Duermuth | Ruhr-University Bochum |
| Martin Johns | TU Braunschweig |
| Mathias Lecuyer | Microsoft Research |
| Matteo Maffei | TU Wien |
| Matthias Neugschwandtner | Oracle Labs |
| McKenna McCall | Carnegie Mellon University |
| Michael Hicks | University of Maryland |
| Nathan Dautenhahn | Rice University |
| Neil Gong | Duke University |
| Nicholas Carlini | Google Brain |
| Nick Hopper | University of Minnesota |
| Nicolas Papernot | University of Toronto |
| Ninghui Li | Purdue University |
| Olya Ohrimenko | University of Melbourne |
| Omar Chowdhury | The University of Iowa |
| Pardis Emami-Naeini | University of Washington |
| Patrick McDaniel | Penn State University |
| Patrick Traynor | University of Florida |
| Paul Grubbs | U Michigan |
| Paul Pearce | Georgia Tech; International Computer Science Institute |
| Pedro Fonseca | Purdue University |
| Pedro Moreno-Sanchez | IMDEA Software Institute |
| Peter Schwabe | MPI-SP & Radboud University |
| Qi Li | Tsinghua University |
| Rahul Chatterjee | University of Wisconsin--Madison |
| Riad Wahby | Stanford University |
| Riccardo Paccagnella | University of Illinois at Urbana-Champaign |
| Sam King | UC Davis and Bouncer Technologies |
| Sarah Meiklejohn | University College London / Google |
| Sascha Fahl | CISPA Helmholtz Center for Information Security |
| Sebastian Angel | University of Pennsylvania |
| Sebastian Faust | Technische Universität Darmstadt |
| Sophie Schmieg | |
| Srdjan Capkun | ETH Zuerich |
| Srinath Setty | Microsoft Research |
| Stefan Brunthaler | μCSRL, CODE Research Institute, Bundeswehr University Munich |
| Stefano Tessaro | University of Washington |
| Sunoo Park | Cornell Tech |
| Sven Bugiel | CISPA Helmholtz Center for Information Security |
| Taesoo Kim | Georgia Institute of Technology |
| Tamara Rezk | INRIA Sophia-Antipolis |
| Thomas Eisenbarth | University of Lübeck |
| Thomas Ristenpart chair | Cornell Tech |
| Thorsten Holz chair | CISPA Helmholtz Center for Information Security |
| Thorsten Strufe | Karlsruhe Institute of Technology and CeTI/TU Dresden |
| Tibor Jager | Bergische Universität Wuppertal |
| Tiffany Bao | Arizona State University |
| Tobias Fiebig | TU Delft |
| Trevor Perrin | Independent |
| Tudor Dumitras | University of Maryland |
| Vasileios Kemerlis | Brown University |
| Véronique Cortier | Loria (CNRS, France) |
| Vincent Bindschaedler | University of Florida |
| Wenyuan Xu | Zhejiang University |
| XiaoFeng Wang | Indiana University Bloomington |
| Xiaojing Liao | Indiana University Bloomington |
| Xinyu Xing | Pennsylvania State University |
| Yajin Zhou | Zhejiang University |
| Yan Shoshitaishvili | Arizona State University |
| Yanfang (Fanny) Ye | Case Western Reserve University |
| Yasemin Acar | Max Planck Institute for Security and Privacy |
| Yinqian Zhang | Southern University of Science and Technology |
| Yongdae Kim | KAIST |
| Yossi Oren | Ben-Gurion University of the Negev |
| Yuan Tian | University of Virginia |
| Yuan Zhang | Fudan University |
| Yuval Yarom | University of Adelaide |
| Zakir Durumeric | Stanford University |
| Zhiqiang Lin | Ohio State University |
| Zubair Shafiq | University of California, Davis |
| Ulfar Erlingsson (TC Chair) | Lacework |
| Christopher Kruegel | UC Santa Barbara |
| Alina Oprea | Northeastern University |
| Bryan Parno (TC Vice Chair) | Carnegie Mellon University |
| Sean Peisert | UC Davis |
| Michael Reiter | Duke University |
| Hovav Shacham | University of Texas at Austin |
| Greg Shannon | Carnegie Mellon University and the Cybersecurity Manufacturing Innovation Institute |
| Carmela Troncoso | EPFL |