MAY 22-25, 2023 AT THE HYATT REGENCY, SAN FRANCISCO, CA & ONLINE
44th IEEE Symposium on
Security and Privacy
Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Theoretical papers must make a convincing case for the relevance of their results to practice.
Topics of interest include:
This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. You can find an overview of recent SoK papers at https://oaklandsok.github.io/.
Based on the experience in the past three years, the reviewing process for IEEE S&P is changed to three submission deadlines. For each submission, one of the following decisions will be made:
Accept: Papers in this category will be accepted for publication in the proceedings and presentation at the conference. Within one month of acceptance, all accepted papers must submit a camera-ready copy incorporating reviewer feedback. The papers will immediately be published, open access, in the Computer Society’s Digital Library, and they may be cited as “To appear in the IEEE Symposium on Security & Privacy, May 2023”.
Conditional accept: These papers should be accepted, but with shepherding to check that some minor revisions requested by reviewers are made. Minor revisions typically are editorial changes that are relatively straightforward for authors to execute in the time between decisions and the camera-ready deadline. Minor revisions generally should not require new experiments or analyses that have a reasonable likelihood of failure.
Major Revision: A limited number of papers will be invited to submit a major revision; such papers will receive a specific set of expectations to be met by that revision. Authors can submit a revised paper to the next two submission deadlines after the notification. The authors should clearly explain in a well-marked appendix how the revisions address the comments of the reviewers. The revised paper will then be re-evaluated, and either accepted or rejected. We will try to assign the same set of reviewers.
Reject: Papers in this category are declined for inclusion in the conference. Rejected papers must wait for one year, from the date of original submission, to resubmit to IEEE S&P. A paper will be judged to be a resubmit (as opposed to a new submission) if the paper is from the same or similar authors, and a reviewer could write a substantially similar summary of the paper compared with the original submission. As a rule of thumb, if there is more than 40% overlap between the original submission and the new paper, it will be considered a resubmission.
All papers accepted by March 10, 2023 will appear in the proceedings of the symposium in May 2023 and invited to present their work. These include for example papers that were submitted in December 2022 and were accepted without revision, or papers that were submitted in April 2022, got the Major Revision decision, and resubmitted the revised paper in August or December.
All deadlines are 23:59:59 AoE (UTC-12).
We will introduce a rebuttal period during which authors have the opportunity to exchange messages with the reviewers and respond to questions asked. To this end, we will use HotCRP’s anonymous communication feature to enable a communication channel between authors and reviewers. The authors should mainly focus on factual errors in the reviews and concrete questions posed by the reviewers. New research results can also be discussed if they help to clarify open questions. More instructions will be sent out to the authors at the beginning of the rebuttal period.
As described above, some number of papers will receive a Major Revision decision, rather than Accept, Conditional Accept, or Reject. This decision will be accompanied by a detailed summary of the expectations for the revision, in addition to the standard reviewer comments. The authors may prepare a major revision, which may include running additional experiments, improving the paper’s presentation, or other such improvements. Papers meeting the expectations will typically be accepted. Those that do not will be rejected. Only in exceptional circumstances will additional revisions be requested. Authors can submit a revised paper to the next two submission deadlines after the notification. Upon receiving a Major Revision decision, authors can choose to withdraw their paper or not submit a revision, but they will be asked to not submit the same or similar work again (following the same rules as for Rejected papers) for 1 year from the date of the original submission. The table below summarizes the eligible 2022 deadlines for papers that received a revise decision or reject decision for a paper submitted to IEEE S&P’22 for each of the three 2022 cycles.
| 2022 deadlines | Revise decision Eligible 2023 deadlines |
Reject decision Eligible 2023 deadlines |
| First 2021 (April 15, 2021) |
None | Any 2023 deadline |
| Second 2021 (August 19, 2021) |
First deadline (April 1,2022) |
Second deadline (Aug 19, 2022) Third deadline (Dec 2, 2022) |
| Third 2021 (Dec 2, 2021) |
First deadline (April 1, 2022) Second deadline (August 19, 2022) |
Third deadline (Dec 2, 2022) |
These instructions apply to both the research papers and systematization of knowledge (SoK) papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.
Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in the third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review. PC members who have a genuine conflict of interest with a paper, including the PC Co-Chairs and the Associate Chairs, will be excluded from evaluation and discussion of that paper.
While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper to an archival repository such as arXiv, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to directly contact PC members to discuss their submission.
The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.
During submission of a research paper, the submission site will request information about conflicts of interest of the paper's authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:
The PC member is a co-author of the paper.
The PC member has been a collaborator within the past two years.
The PC member is or was the author's primary thesis advisor, no matter how long ago.
The author is or was the PC member's primary thesis advisor, no matter how long ago.
For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. The program chairs will review declared conflicts. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.
New to Oakland 2023 is a research ethics committee (REC) that will check papers flagged by reviewers as potentially including ethically fraught research. The REC will review flagged papers and may suggest to the PC Chairs rejection of a paper on ethical grounds. The REC consists of members of the PC. Authors are encouraged to review the Menlo Report for general ethical guidelines for computer and information security research.
Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy to 90 days https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html ahead of publication is consistent with authors’ ethical obligations.
Longer disclosure windows (which may keep vulnerabilities from the public for extended periods of time) should only be considered in exceptional situations, e.g., if the affected parties have provided convincing evidence the vulnerabilities were previously unknown and the full rollout of mitigations requires additional time. The authors are encouraged to consult with the PC chairs in case of questions or concerns.
The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Submissions that describe experiments that could be viewed as involving human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:
If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
In the interests of transparency and to help readers form their own judgements of potential bias, the IEEE Symposium on Security & Privacy requires authors and PC members to declare any competing financial and/or non-financial interests in relation to the work described. Authors need to include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example, "Author X is on the Technical Advisory Board of the ByteCoin Foundation," or "Professor Y is the CTO of DoubleDefense, which specializes in malware analysis." More information regarding this policy is available here.
For papers that were previously submitted to, and rejected from, another conference, authors are required to submit a separate document containing the prior reviews along with a description of how those reviews were addressed in the current version of the paper. Authors are only required to include reviews from the last time the paper was submitted. Reviewers will only see the provided supplementary material after finishing their own review to avoid being biased in formulating their own opinions; once their reviews are complete, however, reviewers will be given the opportunity to provide additional comments based on the submission history of the paper. Authors who try to circumvent this rule (e.g., by changing the title of the paper without significantly changing the contents) may have their papers rejected without further consideration, at the discretion of the PC chairs.
Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. The same applies to camera-ready papers, although, at the PC chairs’ discretion, additional pages may be allowed for references and appendices. Reviewers are not required to read appendices.
Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing.
Authors may use the IEEE conference proceedings templates. LaTeX submissions using the IEEE templates should use IEEEtran.cls version 1.8b with options “conference,compsoc.” (That is, begin your LaTeX document with the line \documentclass[conference,compsoc]{IEEEtran}.)
Whether or not a submission uses the IEEE templates, the authors alone are responsible for ensuring that their paper complies with the formatting guidelines above (column size, margins, font size, line spacing etc.). All submissions will be automatically checked for conformance to these requirements. Failure to adhere to the page limit and formatting requirements are grounds for rejection without review.
Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.
Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to present the paper at the conference.
| Thomas Ristenpart | Cornell Tech |
| Patrick Traynor | University of Florida |
| Henry Corrigan-Gibbs | MIT |
| Adam Doupe | Arizona State University |
| Sarah Meiklejohn | Google / UCL |
| Nicolas Papernot | University of Toronto and Vector Institute |
| Christina Poepper | NYU Abu Dhabi |
| Mariana Raykova | |
| Elissa Redmiles | MPI SWS |
| Andrei Sabelfeld | Chalmers University |
| Ben Stock | CISPA |
| Yuval Yarom | University of Adelaide |
| Srdjan Capkun | ETH |
| Aanjhan Ranganathan | Northeastern University |
| Aastha Mehta | University of British Columbia, Vancouver |
| AbdelRahman Abdou | Carleton University |
| Adam Oest | PayPal, Inc. |
| Adria Gascon | Google Research |
| Adrian Dabrowski | University of California, Irvine |
| Adwait Nadkarni | William & Mary |
| Ahmad-Reza Sadeghi | Technische Universität Darmstadt |
| Alexandros Kapravelos | North Carolina State University |
| Ali Mashtizadeh | University of Waterloo |
| Alin Tomescu | VMware |
| Allison McDonald | Boston University |
| Amrita Roy Chowdhury | UCSD |
| Ananth Raghunathan | Meta Inc |
| Andreas Terzis | |
| Andrew Paverd | Microsoft |
| Ang Chen | Rice University |
| Aniket Kate | Purdue University |
| Anil Kurmus | IBM Research Europe - Zurich |
| Antonis Michalas | Tampere University |
| Arthur Gervais | Imperial College London |
| Aurore Fass | Stanford University |
| Benjamin Ujcich | Georgetown University |
| Benny Pinkas | Bar-Ilan University |
| Boris Köpf | Microsoft Research |
| Bradley Reaves | North Carolina State University |
| Brendan Dolan-Gavitt | NYU |
| Brendan Saltaformaggio | Georgia Institute of Technology |
| Carrie Gates | Bank of America |
| Chitchanok Chuengsatiansup | The University of Adelaide, Australia |
| Chris Geeng | University of Washington |
| Christopher Fletcher | UIUC |
| Cristian-Alexandru Staicu | CISPA Helmholtz Center for Information Security |
| Daniel Moghimi | University of California San Diego |
| Daniel Rausch | University of Stuttgart |
| Daniel Votipka | Tufts University |
| Danny Yuxing Huang | New York University |
| Dave Levin | University of Maryland |
| Dave (Jing) Tian | Purdue University |
| David Wu | UT Austin |
| David Lie | University of Toronto |
| David Mohaisen | University of Central Florida |
| David Kohlbrenner | University of Washington |
| David Barrera | Carleton University |
| Earlence Fernandes | University of Wisconsin-Madison |
| Eleftherios Kokoris Kogias | IST Austria |
| Emiliano De Cristofaro | Ucl |
| Eric Zeng | University of Washington |
| Eyal Ronen | Tel Aviv University |
| Fabio Pagani | University of California, Santa Barbara |
| Fabio Pierazzi | King's College London |
| Fan Zhang | Duke University |
| Feargus Pendlebury | University College London & Meta |
| Felix Günther | ETH Zurich |
| Fengwei Zhang | Southern University of Science and Technology |
| Fish Wang | Arizona State University |
| Florian Kerschbaum | University of Waterloo |
| Florian Tramer | ETH Zurich / Google |
| Frank Li | Georgia Institute of Technology |
| Frank Piessens | KU Leuven |
| Franziska Boenisch | Fraunhofer AISEC |
| Fraser Brown | CMU / Stanford |
| Gabriel Kaptchuk | Boston University |
| Gabriela Ciocarlie | University of Texas at San Antonio |
| Gang Wang | University of Illinois at Urbana-Champaign |
| Gennie Gebhart | Electronic Frontier Foundation |
| Giancarlo Pellegrino | CISPA Helmholtz Center for Information Security |
| Giovanni Cherubin | Microsoft Research |
| Giulia Fanti | Carnegie Mellon University |
| Grant Hernandez | Qualcomm |
| Guevara Noubir | Northeastern University |
| Guido Schmitz | Royal Holloway, University of London |
| Guofei Gu | Texas A&M University |
| Hadi Abdullah | University of Florida |
| Hamed Okhravi | MIT Lincoln Laboratory |
| Hyunghoon Cho | Broad Institute of MIT and Harvard |
| Ian Miers | UMD |
| Ivan Evtimov | Meta AI |
| Ivan Puddu | ETH Zurich |
| Jason Polakis | University of Illinois Chicago |
| Jason (Minhui) Xue | University of Adelaide and Data61-CSIRO |
| Jeremiah Blocki | Purdue University |
| Jiska Classen | TU Darmstadt, Secure Mobile Networking Lab |
| Jon McCune | |
| Jun Xu | University of Utah |
| Jörg Schwenk | Ruhr University Bochum |
| Kasper Rasmussen | University of Oxford |
| Kassem Fawaz | University of Wisconsin-Madison |
| Kathrin Grosse | EPFL |
| Kevin Butler | University of Florida |
| Konrad Rieck | TU Braunschweig |
| Kurt Thomas | |
| Lejla Batina | Radboud University, The Netherlands |
| Liang Wang | Princeton University |
| Liang Wang | Princeton University |
| Lianying Zhao | Carleton University |
| Ling Ren | University of Illinois at Urbana-Champaign |
| Maliheh Shirvanian | Visa Research |
| Mario Fritz | CISPA Helmholtz Center for Information Security |
| Marius Muench | Vrije Universiteit Amsterdam |
| Marshini Chetty | University of Chicago |
| Martin Johns | TU Braunschweig |
| Martina Lindorfer | TU Wien |
| Mathias Lécuyer | University of British Columbia |
| Mathias Payer | EPFL |
| Mathy Vanhoef | KU Leuven |
| Mayank Varia | Boston University |
| Mengjia Yan | MIT |
| Michael Specter | |
| Michael Franz | University of California, Irvine |
| Michelle Mazurek | University of Maryland |
| Mihalis Maniatakos | NYU Abu Dhabi |
| Mohamed Tarek Ibn Ziad | Columbia University |
| Mohammad Yaghini | University of Toronto, Vector Institute |
| Murtuza Jadliwala | The University of Texas at San Antonio |
| Nathan Dautenhahn | Rice University |
| Nathan Malkin | University of Maryland |
| Nguyen Phong Hoang | University of Chicago |
| Nick Nikiforakis | Stony Brook University |
| Nicolas Christin | Carnegie Mellon University |
| Olya Ohrimenko | The University of Melbourne |
| Omar Chowdhury | The University of Iowa |
| Panos Papadimitratos | KTH Royal Institute of Technology |
| Pardis Emami-Naeini | University of Washington |
| Pascal Reisert | University of Stuttgart, Germany |
| Paul Grubbs | University of Michigan |
| Peter Snyder | Brave Software |
| Philipp Jovanovic | University College London |
| Phillipp Schoppmann | |
| Qi Li | Tsinghua University |
| Qiang Tang | The University of Sydney |
| Quinn Burke | Penn State |
| Reza Shokri | National University of Singapore (NUS) |
| Riad Wahby | Carnegie Mellon University |
| Rishab Nithyanand | University of Iowa |
| Roei Schuster | Vector Institute |
| Ruzica Piskac | Yale University |
| Ryan Gerdes | Virginia Tech |
| Ryan Sheatsley | The Pennsylvania State University |
| Saeed Mahloujifar | Princeton |
| Sam King | UC Davis |
| Sanchari Das | University of Denver |
| Sara Rampazzi | University of Florida |
| Sascha Fahl | CISPA |
| Sebastian Angel | Microsoft Research and University of Pennsylvania |
| Sergio Maffeis | Imperial College London |
| Shuai Wang | Hong Kong University of Science and Technology |
| Shweta Shinde | ETH Zurich |
| Sooel Son | KAIST |
| Stefan Katzenbeisser | University of Passau |
| Stephen McCamant | University of Minnesota |
| Stjepan Picek | Radboud University, The Netherlands |
| Sunoo Park | Cornell Tech |
| Syed Rafiul Hussain | Pennsylvania State University |
| Tara Whalen | Cloudflare |
| Tempestt Neal | University of South Florida |
| Thomas Wies | New York University |
| Tiffany Bao | ASU |
| Tijay Chung | Virginia Tech |
| Tobias Fiebig | Max-Planck-Institut für Informatik |
| Tom Moyer | UNC Charlotte |
| Trent Jaeger | Penn State University |
| Tushar Jois | Johns Hopkins University |
| Umar Iqbal | University of Washington |
| Varun Chandrasekaran | University of Wisconsin-Madison |
| Vasileios Kemerlis | Brown University |
| Vincent Bindschaedler | University of Florida |
| Wajih Ul Hassan | The University of Virginia |
| Wei Meng | The Chinese University of Hong Kong |
| Wenjing Lou | Virginia Tech |
| Wenyuan Xu | Zhejiang University |
| William Enck | North Carolina State University |
| William Robertson | Northeastern University |
| Wouter Lueks | EPFL |
| Xiao Wang | Northwestern University |
| Xiapu Luo | The Hong Kong Polytechnic University |
| Xinyu Xing | Northwestern University |
| Xusheng Xiao | Case Western Reserve University |
| Yang Zhang | CISPA Helmholtz Center for Information Security |
| Yao Liu | University of South Florida |
| Yinqian Zhang | Southern University of Science and Technology |
| Yizheng Chen | University of California, Berkeley |
| Yossi Gilad | Hebrew University of Jerusalem |
| Yossi Oren | Ben Gurion University of the Negev |
| Yuan Tian | University of Virginia |
| Yuan Zhang | Fudan University |
| Z. Berkay Celik | Purdue University |
| Zakir Durumeric | Stanford University |
| Zane Ma | Georgia Institute of Technology |