MAY 20-23, 2024 AT THE HILTON SAN FRANCISCO UNION SQUARE, SAN FRANCISCO, CA
45th IEEE Symposium on
Security and Privacy
Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Theoretical papers must make a convincing case for the relevance of their results to practice.
Topics of interest include:
This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. You can find an overview of recent SoK papers at https://oaklandsok.github.io/.
Similar to 2023, there will be three submission deadlines this year. For each submission, one of the following decisions will be made:
Accept : Papers in this category will be accepted for publication in the proceedings and presentation at the conference. Within one month of acceptance, all accepted papers must submit a camera-ready copy incorporating reviewer feedback. The papers will immediately be published, open access, in the Computer Society’s Digital Library, and they may be cited as “To appear in the IEEE Symposium on Security & Privacy, May 2024”.
Reject : Papers in this category are declined for inclusion in the conference. Rejected papers must wait for one year, from the date of original submission, to resubmit to IEEE S&P. A paper will be judged to be a resubmit (as opposed to a new submission) if the paper is from the same or similar authors, and a reviewer could write a substantially similar summary of the paper compared with the original submission. As a rule of thumb, if there is more than 40% overlap between the original submission and the new paper, it will be considered a resubmission.
Public Meta-Reviews: All accepted papers will be published alongside a meta-review (< 500 words) that lists (a) the reasons the PC decided to accept the paper and (b) concerns the PC has with the paper. Authors will be given the option to write a response to the meta-review (< 500 words) which will be published as part of the meta-review. Authors will be given a draft meta-review at the time of acceptance. Authors will be given the option of addressing some or all of the concerns within one review cycle. A shepherd will remove concerns from the meta-review if they are sufficiently addressed by the revisions. Authors of papers accepted to the third submission cycle will be given the option to have their paper appear in the 2025 proceedings if they are not able to complete revisions in time for the final camera ready deadline.
The goal of this process is to provide greater transparency and to better scope change requests made by reviewers. More information about the reasons behind this change can be found here.
Re-Submission of Major Revisions from Prior Years: Authors resubmitting papers that received Major Revision decisions in 2023 will also be published with the public meta-reviews as described above.
More information about the reasons behind the above changes can be found here.
All deadlines are 23:59:59 AoE (UTC-12).
Papers reaching the second round of reviewing will be given an opportunity to write a rebuttal to reviewer questions. The rebuttal period will be interactive, and is separate from the meta-review rebuttal given to accepted papers.
Authors have the opportunity to exchange messages with the reviewers and respond to questions asked. To this end, we will use HotCRP’s anonymous communication feature to enable a communication channel between authors and reviewers. The authors should mainly focus on factual errors in the reviews and concrete questions posed by the reviewers. New research results can also be discussed if they help to clarify open questions. More instructions will be sent out to the authors at the beginning of the rebuttal period.
Papers submitted to one of the 2023 submission cycles may have received a Major Revision or Reject decision. For these papers, we will follow the rules defined in the 2023 Call for Papers, which allow authors of Major Revision papers to submit a revised paper to the next two submission deadlines after the notification. The table below summarizes the eligible 2023 deadlines for papers that received a revise decision or reject decision for a paper submitted to IEEE S&P’23 for each of the three 2023 cycles.
| 2023 deadlines | Revise decision Eligible 2024 deadlines |
Reject decision Eligible 2024 deadlines |
| First 2023 (April 1, 2022) |
None | Any 2024 deadline |
| Second 2023 (August 19, 2022) |
First deadline (April 13,2023) |
Second deadline (Aug 3, 2023) Third deadline (Dec 6, 2023) |
| Third 2023 (Dec 2, 2022) |
First deadline (April 13, 2023) Second deadline (August 3, 2023) |
Third deadline (Dec 6, 2023) |
These instructions apply to both the research papers and systematization of knowledge (SoK) papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.
Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in the third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review. PC members who have a genuine conflict of interest with a paper, including the PC Co-Chairs and the Associate Chairs, will be excluded from evaluation and discussion of that paper.
While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper to an archival repository such as arXiv, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to directly contact PC members to discuss their submission.
The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.
During submission of a research paper, the submission site will request information about conflicts of interest of the paper’s authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:
The PC member is a co-author of the paper.
The PC member has been a collaborator within the past two years.
The PC member is or was the author’s primary thesis advisor, no matter how long ago.
The author is or was the PC member’s primary thesis advisor, no matter how long ago.
For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. The program chairs will review declared conflicts. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.
Similar to 2023, IEEE S&P 2024 has a research ethics committee (REC) that will check papers flagged by reviewers as potentially including ethically fraught research. The REC will review flagged papers and may suggest to the PC Chairs rejection of a paper on ethical grounds. The REC consists of members of the PC. Authors are encouraged to review the Menlo Report for general ethical guidelines for computer and information security research.
Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy to 90 days https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html ahead of publication is consistent with authors’ ethical obligations.
Longer disclosure windows (which may keep vulnerabilities from the public for extended periods of time) should only be considered in exceptional situations, e.g., if the affected parties have provided convincing evidence the vulnerabilities were previously unknown and the full rollout of mitigations requires additional time. The authors are encouraged to consult with the PC chairs in case of questions or concerns.
The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Submissions that describe experiments that could be viewed as involving human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:
If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
In the interests of transparency and to help readers form their own judgements of potential bias, the IEEE Symposium on Security & Privacy requires authors and PC members to declare any competing financial and/or non-financial interests in relation to the work described. Authors need to include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example, “Author X is on the Technical Advisory Board of the ByteCoin Foundation,” or “Professor Y is the CTO of DoubleDefense, which specializes in malware analysis.” More information regarding this policy is available here.
Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. The same applies to camera-ready papers, although, at the PC chairs’ discretion, additional pages may be allowed for references and appendices. Reviewers are not required to read appendices.
Papers must be formatted for US letter (not A4) size paper. All submissions must use the IEEE “compsoc” conference proceedings template. LaTeX submissions using the IEEE templates must use IEEEtran.cls version 1.8b with options “conference,compsoc.” (That is, begin your LaTeX document with the line \documentclass[conference,compsoc]{IEEEtran}.). See the “IEEE Demo Template for Computer Society Conferences” Overleaf template for an example.
Papers that fail to use the “compsoc” template (including using the non-compsoc IEEE conference template), modify margins, font, or line spacing, or use egregious space scrunching are subject to rejection without review. Authors are responsible for verifying the paper format. While HotCRP provides some automated checking, the checks are limited.
Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.
Links to submission servers:
Cycle 1: https://spring.sp2024.ieee-security.org/
Cycle 2: https://summer.sp2024.ieee-security.org/
Cycle 3: https://winter.sp2024.ieee-security.org/
Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to register and present the paper at the conference.
| Patrick Traynor | University of Florida |
| William Enck | North Carolina State University |
| Aanjhan Ranganathan | Northeastern University |
| Adam Bates | University of Illinois Urbana-Champaign |
| Andrew Paverd | Microsoft |
| Hamed Okhravi | MIT Lincoln Laboratory |
| Matt Fredrikson | Carnegie Mellon University |
| Matteo Maffei | TU Wein |
| Micah Sherr | Georgetown University |
| Sascha Fahl | CISPA |
| Tiffany Bao | Arizona State University |
| Yuan Tian | University of California, Los Angelos |
| René Mayrhofer | Johannes Kepler University Linz |
| Abbas Acar | Florida International University |
| AbdelRahman Abdou | Carleton University |
| Abhishek Jain | Johns Hopkins University |
| Adam Oest | Paypal, Inc. |
| Adam Doupé | Arizona State University |
| Adam Bates | University of Illinois at Urbana-Champaign |
| Adwait Nadkarni | William & Mary |
| Ajith Suresh | Technology Innovation Institute (TII) |
| Alena Naiakshina | Ruhr University Bochum |
| Alessandra Scafuro | NCSU |
| Alexander Block | Georgetown University & University of Maryland, College Park |
| Alfred Chen | University of California, Irvine |
| Alina Oprea | Northeastern University |
| Allison McDonald | Boston University |
| Amit Kumar Sikder | Georgia Institute of Technology |
| Andrei Sabelfeld | Chalmers University of Technology |
| Ang Chen | Rice University |
| Angelos Stavrou | Virginia Tech |
| Aniket Kate | Purdue University / Supra |
| Anindya Maiti | University of Oklahoma |
| Anupam Das | North Carolina State University |
| Apu Kapadia | Indiana University Bloomington |
| Aravind Machiry | Purdue University |
| Aurélien Francillon | EURECOM |
| Ben Stock | CISPA Helmholtz Center for Information Security |
| Benjamin Ujcich | Georgetown University |
| Benjamin Dowling | The University of Sheffield |
| Blaine Hoak | University of Wisconsin-Madison |
| Blase Ur | University of Chicago |
| Bogdan Groza | Universitatea Politehnica Timisoara |
| Brad Reaves | North Carolina State University |
| Brendan Saltaformaggio | Georgia Tech |
| Byoungyoung Lee | Seoul National University |
| Carrie Gates | Bank of America |
| Carter Yagemann | The Ohio State University |
| Casey Meehan | Vector Institute |
| Chaowei Xiao | Arizona State University |
| Chengyu Song | UC Riverside |
| Christian Wressnegger | Karlsruhe Institute of Technology (KIT) |
| Christian Peeters | Harbor Labs |
| Christina Garman | Purdue University |
| Christina Pöpper | New York University Abu Dhabi |
| Christopher A. Choquette-Choo | Google Research, Brain Team |
| Claudio Soriente | NEC laboratories Europe |
| Cristian-Alexandru Staicu | CISPA Helmholtz Center for Information Security |
| Daniel Genkin | Georgia Tech |
| Daniel Votipka | Tufts University |
| Dave (Jing) Tian | Purdue University |
| David Barrera | Carleton University |
| David Cash | University of Chicago |
| Debajyoti Das | KU Leuven |
| Deepak Kumar | Stanford University |
| Derrick McKee | MIT Lincoln Laboratory |
| Dimitrios Papadopoulos | The Hong Kong University of Science and Technology |
| Dominik Wermke | CISPA |
| Drew Davidson | University of Kansas |
| Earlence Fernandes | UC San Diego |
| Eleonora Losiouk | University of Padua |
| Emily Wenger | University of Chicago and Meta AI |
| Eric Pauley | University of Wisconsin-Madison |
| Ethan Cecchetti | University of Maryland / University of Wisconsin - Madison |
| Evgenios Kornaropoulos | George Mason University |
| Eyal Ronen | Tel Aviv University |
| Eyal Ronen | Tel Aviv University |
| Fabio Pierazzi | King's College London |
| Faysal Shezan | University of Texas at Arlington |
| Fengwei Zhang | Southern University of Science and Technology (SUStech) |
| Florian Schaub | University of Michigan |
| Florian Kerschbaum | University of Waterloo |
| Florian Tramèr | ETH Zürich |
| Fnu Suya | University of Maryland |
| Frank Li | Georgia Institute of Technology |
| Frank Piessens | KU Leuven |
| Franziska Boenisch | Vector Institute |
| Furkan Alaca | Queen's University |
| Gang Wang | University of Illinois at Urbana-Champaign |
| Gary Tan | The Pennsylvania State University |
| Georgios Portokalidis | IMDEA Software Institute |
| Ghassan Karame | Ruhr-University Bochum |
| Giancarlo Pellegrino | CISPA Helmholtz Center for Information Security |
| Giovanni Camurati | ETH Zurich |
| Grant Ho | UCSD and UChicago |
| Guevara Noubir | Northeastern University |
| Guillermo Suarez-Tangil | IMDEA Networks Institute |
| Habiba Farrukh | Purdue University |
| Hang Zhang | Georgia Institute of Technology |
| Haya Shulman | Goethe-Universität Frankfurt | Fraunhofer SIT | ATHENE |
| Heather Zheng | University of Chicago |
| Heng Yin | University of California Riverside |
| Hovav Shacham | The University of Texas at Austin |
| Hyungjoon Koo | Sungkyunkwan University |
| Insu Yun | KAIST |
| Ioana Boureanu | Univ. of Surrey, Surrey Centre for Cybersecurity |
| Jason Nieh | Columbia University |
| Jeremiah Blocki | Purdue University |
| Jianjun Chen | Tsinghua University |
| Jiarong Xing | Rice University |
| Jiska Classen | TU Darmstadt, SEEMOO |
| Johanna Ullrich | SBA Research/University of Vienna |
| Jon McCune | Google LLC |
| Jun Han | Yonsei University |
| Kangjie Lu | University of Minnesota |
| Karen Sowon | Postdoctoral research associate, Carnegie Mellon University |
| Kartik Nayak | Duke University |
| Kassem Fawaz | University of Wisconsin-Madison |
| Kavita Kumari | Technical University of Darmstadt |
| Kelsey Fulton | Colorado School of Mines |
| Kevin Borgolte | Ruhr University Bochum |
| Kevin Butler | University of Florida |
| Kexin Pei | Columbia University |
| Kovila P.L. Coopamootoo | King's College London |
| Lejla Batina | Radboud University |
| Leonardo Babun | Johns Hopkins Applied Physics Laboratory |
| Liang Wang | Princeton University |
| Lianying Zhao | Carleton University |
| Liqun Chen | University of Surrey |
| Liz Izhikevich | Stanford University |
| Luis Vargas | Harbor Labs |
| Lujo Bauer | Carnegie Mellon University |
| Mahmood Sharif | Tel Aviv University |
| Marco Squarcina | TU Wien |
| Mariana Raykova | |
| Markus Miettinen | Technical University of Darmstadt |
| Marshini Chetty | University of Chicago |
| Mathy Vanhoef | KU Leuven |
| Matthew Lentz | Duke University |
| Mauro Conti | University of Padua |
| Michael Reiter | Duke University |
| Michael Waidner | Technische Universität Darmstadt |
| Michail Maniatakos | NYU Abu Dhabi |
| Michalis Polychronakis | Stony Brook University |
| Mridula Singh | CISPA Helmholtz Center for Information Security |
| Murtuza Jadliwala | University of Texas at San Antonio |
| Nick Nikiforakis | Stony Brook University |
| Nicolas Papernot | University of Toronto and Vector Institute and Google |
| Nikita Borisov | University of Illinois at Urbana-Champaign |
| Nikos Vasilakis | Brown University |
| Ning Zhang | Washington University in St. Louis |
| Noel Warford | University of Maryland |
| Olivier Levillain | Télécom SudParis |
| Olya Ohrimenko | The University of Melbourne |
| Omar Chowdhury | Stony Brook University |
| Omer Akgul | University of Maryland |
| Panos Papadimitratos | KTH Royal Institute of Technology |
| Pardis Emami-Naeini | Duke University |
| Patrick McDaniel | University of Wisconsin-Madison |
| Paul Pearce | Georgia Institute of Technology |
| Paul Martin | Harbor Labs |
| Peter Snyder | Brave Software |
| Pratyush Mishra | University of Pennsylvania |
| Qiushi Wu | University of Minnesota |
| Quinn Burke | University of Wisconsin-Madison |
| Rahul Chatterjee | University of Wisconsin-Madison |
| Rakibul Hasan | Arizona State University |
| Ramakrishnan Sundara Raman | University of Michigan |
| Ramya Jayaram Masti | Ampere Computing |
| Reza Shokri | National University of Singapore |
| Ruoyu “Fish” Wang | Arizona State University |
| Ryan Wails | Georgetown University & U.S. Naval Research Laboratory |
| Ryan Sheatsley | University of Wisconsin-Madison |
| Saba Eskandarian | University of North Carolina at Chapel Hill |
| Saman Zonouz | Georgia Tech |
| Santiago Torres-Arias | Purdue University |
| Sara Rampazzi | University of Florida |
| Sathvik Prasad | North Carolina State University |
| Sazzadur Rahaman | University of Arizona |
| Sebastian Roth | TU Wien |
| Selcuk Uluagac | Florida International University |
| Serge Egelman | UC Berkeley / ICSI / AppCensus, Inc. |
| Shamaria Engram | MIT Lincoln Laboratory |
| Shitong Zhu | Meta Platforms, Inc. |
| Shruti Tople | Microsoft |
| Shuai Wang | HKUST |
| Sisi Duan | Tsinghua University |
| Sofia Celi | Brave Software |
| Soheil Khodayari | CISPA Helmholtz Center for Information Security |
| Srdjan Capkun | ETH Zurich |
| Suman Jana | Columbia University |
| Sunil Manandhar | IBM Research |
| Sven Bugiel | CISPA Helmholtz Center for Information Security |
| Sze Yiu Chau | The Chinese University of Hong Kong |
| Takeshi Sugawara | The University of Electro-Communications |
| Tianhao Wang | University of Virginia |
| Tobias Fiebig | Max-Planck-Institut für Informatik |
| Tushar Jois | Johns Hopkins University |
| Tyler Kaczmarek | MIT Lincoln Laboratory |
| Vasileios Kemerlis | Brown University |
| Vincent Bindschaedler | University of Florida |
| Vipul Goyal | NTT Research and CMU |
| Wajih Ul Hassan | University of Virginia |
| Wei Meng | The Chinese University of Hong Kong |
| Weiteng Chen | Microsoft Research, Redmond |
| Wenjing Lou | Virginia Tech |
| William Robertson | Northeastern University |
| Xiaojing Liao | Indiana University Bloomington |
| Xiapu Luo | The Hong Kong Polytechnic University |
| Xinlei He | CISPA Helmholtz Center for Information Security |
| Xusheng Xiao | Arizona State University |
| Yan Chen | Northwestern University |
| Yang Zhang | CISPA Helmholtz Center for Information Security |
| Yanick Fratantonio | |
| Yasemin Acar | Paderborn University & George Washington University |
| Yasemin Acar | Paderborn University |
| Yinzhi Cao | Johns Hopkins University |
| Yixin Sun | University of Virginia |
| Yongdae Kim | KAIST |
| Yuval Yarom | University of Adelaide |
| Z. Berkay Celik | Purdue University |
| Zakir Durumeric | Stanford University |
| Zane Ma | Georgia Institute of Technology |
| Zhen Huang | DePaul University |
| Zhiqiang Lin | Ohio State University |
| Zhiyun Qian | University of California, Riverside |
| Ziqiao Zhou | Microsoft Research |