MAY 12-15, 2025 AT THE HYATT REGENCY SAN FRANCISCO, SAN FRANCISCO, CA
46th IEEE Symposium on
Security and Privacy
Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Theoretical papers must make a convincing case for the relevance of their results to practice.
Topics of interest include:
This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review.
As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate and may be rejected without full review. Submissions will be distinguished by the prefix “SoK:” in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. You can find an overview of recent SoK papers at https://oaklandsok.github.io.
Similar to 2024, for each submission, one of the following decisions will be made:
Accept: Papers in this category will be accepted for publication in the proceedings and presentation at the conference. Within one month of acceptance, all accepted papers must submit a camera-ready copy incorporating reviewer feedback. The papers will immediately be published, open access, in the Computer Society’s Digital Library, and they may be cited as “To appear in the IEEE Symposium on Security & Privacy, May 2025”.
Reject: Papers in this category are declined for inclusion in the conference. Rejected papers must wait for one year, from the date of original submission, to resubmit to IEEE S&P. A paper will be judged to be a resubmit (as opposed to a new submission) if the paper is from the same or similar authors, and a reviewer could write a substantially similar summary of the paper compared with the original submission. As a rule of thumb, if there is more than 40% overlap between the original submission and the new paper, it will be considered a resubmission.
Public Meta-Reviews: Similar to 2024, all accepted papers will be
published with a meta-review (< 500 words) in the final PDF that
lists: (a) the reasons the PC decided to accept the paper and (b)
concerns the PC has with the paper. Authors will be given the option
to write a response to the meta-review (< 500 words) which will be
published as part of the meta-review. Authors will be given a draft
meta-review at the time of acceptance. Authors will be given the
option of addressing some or all of the concerns within one review cycle. A shepherd will remove concerns from the meta-review if they are sufficiently addressed by the revisions.
The goal of this process is to provide greater transparency and to better scope change requests made by reviewers. More information about the reasons behind this change can be found on the 2024 IEEE S&P website.
The number of papers accepted to IEEE S&P continues to grow substantially each year. Due to conference venue limitations and costs, each accepted paper will have: (a) a short talk presentation (e.g., 5-7 minutes, length determined based on the number of accepted papers) and (b) a poster presentation immediately following the talk session containing the paper. All accepted papers are required to present both a short talk and a poster.
All deadlines are 23:59:59 AoE (UTC-12).
Papers reaching the second round of reviewing will be given an opportunity to write a rebuttal to reviewer questions. The rebuttal period will be interactive, and is separate from the meta-review rebuttal given to accepted papers. Authors have the opportunity to exchange messages with the reviewers and respond to questions asked. To this end, we will use HotCRP’s anonymous communication feature to enable a communication channel between authors and reviewers. The authors should mainly focus on factual errors in the reviews and concrete questions posed by the reviewers. New research results can also be discussed if they help to clarify open questions. More instructions will be sent out to the authors at the beginning of the rebuttal period.
As with previous IEEE S&P symposia with multiple submission cycles, rejected papers must wait one year before resubmission to IEEE S&P. Given the move from three submission deadlines in 2024 to two submission deadlines in 2025, rejected papers are eligible to submit according to the table below.
| 2024 deadlines | Reject decision Eligible 2025 deadlines |
| First 2024 (April 13, 2023) |
Either 2025 deadline |
| Second 2024 (August 3, 2023) |
Either 2025 deadline |
| Third 2024 (Dec 6, 2023) |
Second deadline (Nov 14, 2024) |
These instructions apply to both the research papers and systematization of knowledge (SoK) papers. All submissions must be original work; the submitter must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection. Contact the program committee chairs if there are questions about this policy.
Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text. When referring to their previous work, authors are required to cite their papers in the third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers that are not properly anonymized may be rejected without review. PC members who have a genuine conflict of interest with a paper, including the PC Co-Chairs and the Associate Chairs, will be excluded from evaluation and discussion of that paper.
While a paper is under submission to the IEEE Security & Privacy Symposium, authors may choose to give talks about their work, post a preprint of the paper to an archival repository such as arXiv, and disclose security vulnerabilities to vendors. Authors should refrain from widely advertising their results, but in special circumstances they should contact the PC chairs to discuss exceptions. Authors are not allowed to directly contact PC members to discuss their submission.
The submissions will be treated confidentially by the PC chairs and the program committee members. Program committee members are not allowed to share the submitted papers with anyone, with the exception of qualified external reviewers approved by the program committee chairs. Please contact the PC chairs if you have any questions or concerns.
During submission of a research paper, the submission site will request information about conflicts of interest of the paper’s authors with program committee (PC) members. It is the full responsibility of all authors of a paper to identify all and only their potential conflict-of-interest PC members, according to the following definition. A paper author has a conflict of interest with a PC member when and only when one or more of the following conditions holds:
The PC member is a co-author of the paper.
For any other situation where the authors feel they have a conflict with a PC member, they must explain the nature of the conflict to the PC chairs, who will mark the conflict if appropriate. The program chairs will review declared conflicts. Papers with incorrect or incomplete conflict of interest information as of the submission closing time are subject to immediate rejection.
Similar to 2024, IEEE S&P 2025 has a research ethics committee (REC) that will check papers flagged by reviewers as potentially including ethically fraught research. The REC will review flagged papers and may suggest to the PC Chairs rejection of a paper on ethical grounds. The REC consists of members of the PC. Authors are encouraged to review the Menlo Report for general ethical guidelines for computer and information security research.
Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy to 90 days https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html ahead of publication is consistent with authors’ ethical obligations.
Longer disclosure windows (which may keep vulnerabilities from the public for extended periods of time) should only be considered in exceptional situations, e.g., if the affected parties have provided convincing evidence the vulnerabilities were previously unknown and the full rollout of mitigations requires additional time. The authors are encouraged to consult with the PC chairs in case of questions or concerns.
The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
Note: Submitted papers should not include full CVE identifiers in order to preserve the anonymity of the submission.
Submissions that describe experiments that could be viewed as involving human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:
If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it will be checked by the REC and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.
In the interests of transparency and to help readers form their own judgements of potential bias, the IEEE Symposium on Security & Privacy requires authors and PC members to declare any competing financial and/or non-financial interests in relation to the work described. Authors need to include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example, “Author X is on the Technical Advisory Board of the ByteCoin Foundation,” or “Professor Y is the CTO of DoubleDefense, which specializes in malware analysis.” More information regarding this policy is available here.
Submitted papers may include up to 13 pages of text and up to 5 pages for references and appendices, totaling no more than 18 pages. All text and figures past page 13 must be clearly marked as part of the appendix. The final camera-ready paper must be no more than 18 pages, although, at the PC chairs’ discretion, additional pages may be allowed. Reviewers are not required to read appendices.
Papers must be formatted for US letter (not A4) size paper. All submissions must use the IEEE “compsoc” conference proceedings template. LaTeX submissions using the IEEE templates must use IEEEtran.cls version 1.8b with options “conference,compsoc.” (That is, begin your LaTeX document with the line \documentclass[conference,compsoc]{IEEEtran}.). See the “IEEE Demo Template for Computer Society Conferences” Overleaf template for an example. We are not aware of an MS Word template that matches this style.
Papers that fail to use the “compsoc” template (including using the non-compsoc IEEE conference template), modify margins, font, or line spacing, or use egregious space scrunching are subject to rejection without review. Authors are responsible for verifying the paper format (e.g., compare with the above linked Overleaf template). While HotCRP provides some automated checking, the checks are limited. Note that some LaTeX packages (e.g., \usepackage{usenix}) override the compsoc formatting and must be removed.
Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers.
Submission server: https://cycle1.sp2025.ieee-security.org/
Authors are responsible for obtaining appropriate publication clearances. One of the authors of the accepted paper is expected to register and present the paper at the conference.
| William Enck | North Carolina State University |
| Cristina Nita-Rotaru | Northeastern University |
| Adwait Nadkarni | William & Mary |
| Alex Kapravelos | North Carolina State University |
| Amir Houmansadr | University of Massachusetts Amherst |
| Batista Biggio | University of Cagliari |
| Christina Garman | Purdue University |
| Ian Miers | University of Maryland, College Park |
| Ioana Boureanu | Univ. of Surrey, Surrey Centre for Cybersecurity |
| Sara Rampazzi | University of Florida |
| Sascha Fahl | CISPA |
| William Robertson | Northeastern University |
| René Mayrhofer | Johannes Kepler University Linz |
| Blase Ur | University of Chicago |
| Adam Bates | University of Illinois at Urbana-Champaign |
| Adam Doupé | Arizona State University |
| Adam Oest | Amazon |
| Adil Ahmad | Arizona State University |
| Ahmad-Reza Sadeghi | Technical University Darmstadt |
| Alena Naiakshina | Ruhr University Bochum |
| Alesia Chernikova | Northeastern University |
| Alessandro Brighente | University of Padova |
| Alexander Block | Georgetown University & University of Maryland |
| Alexandra Dmitrienko | University of Wuerzburg |
| Alexios Voulimeneas | TU Delft |
| Ali Abbasi | CISPA Helmholtz Center for Information Security |
| Álvaro Feal | Northeastern University |
| Amit Seal Ami | William & Mary |
| Ana-Maria Cretu | EPFL, Lausanne, Switzerland |
| Andrei Sabelfeld | Chalmers University of Technology |
| Andrew Kwong | UNC Chapel Hill |
| Andrew Paverd | Microsoft |
| Ang Chen | University of Michigan |
| Angelos Stavrou | Virginia Tech |
| Aniket Kate | Purdue University / Supra Research |
| Antonio Bianchi | Purdue University |
| Anupam Das | North Carolina State University |
| Anwar Hithnawi | ETH Zurich |
| Aravind Machiry | Purdue University |
| Arslan Khan | Pennsylvania State University/ Purdue University |
| Arthur Gervais | UCL |
| Ashish Kundu | Cisco Research |
| Bailey Kacsmar | University of Alberta |
| Ben Stock | CISPA Helmholtz Center for Information Security |
| Ben Weintraub | Northeastern University |
| Ben Zhao | University of Chicago |
| Benjamin Beurdouche | Mozilla |
| Blaine Hoak | University of Wisconsin-Madison |
| Bo Chen | Michigan Technological University |
| Bogdan Carbunar | Florida International University |
| Brad Reaves | North Carolina State University |
| Brendan Saltaformaggio | Georgia Institute of Technology |
| Byoungyoung Lee | Seoul National University |
| Chao Zhang | Tsinghua University |
| Charalampos Papamanthou | Yale University |
| Chen-Da Liu-Zhang | Lucerne University of Applied Sciences and Arts & Web3 Foundation |
| Christof Ferreira Torres | ETH Zürich |
| Christopher A. Choquette-Choo | Google DeepMind |
| Claudio Soriente | NEC Laboratories Europe |
| Constantin Catalin Dragan | University of Surrey |
| Daniel Genkin | Georgia Tech |
| Daniel Votipka | Tufts University |
| Daniele Cono D'Elia | Sapienza University of Rome |
| David Balash | University of Richmond |
| Debajyoti Das | KU Leuven |
| Deian Stefan | UC San Diego |
| Dimitrios Papadopoulos | HKUST |
| Diogo Barradas | University of Waterloo |
| Dominik Wermke | NC State |
| Dongdong She | Hong Kong University of Science and Technology |
| Duc Le | Visa Research |
| Earlence Fernandes | UC San Diego |
| Eleonora Losiouk | University of Padua |
| Elisa Bertino | Purdue University |
| Emiliano De Cristofaro | UC Riverside |
| Emily Wenger | Duke University |
| Endadul Hoque | Syracuse University |
| Eric Pauley | University of Wisconsin–Madison |
| Eysa Lee | Brown University |
| Fabio De Gaspari | Sapienza Università di Roma |
| Faysal hossain Shezan | University of Texas at Arlington |
| Fengwei Zhang | Southern University of Science and Technology |
| Florian Kerschbaum | University of Waterloo |
| Florian Tramer | ETH Zurich |
| Frank Li | Georgia Institute of Technology |
| Frank Piessens | KU Leuven |
| Gang Wang | University of Illinois at Urbana-Champaign |
| Gaoning Pan | Hangzhou Dianzi University |
| Georgios Smaragdakis | Delft University of Technology |
| Giovanni Camurati | ETH Zurich |
| Giovanni Cherubin | Microsoft |
| Giulia Fanti | Carnegie Mellon University |
| Giuseppe Ateniese | George Mason University |
| Guangdong Bai | The University of Queensland |
| Guangliang Yang | Fudan University |
| Guanhong Tao | University of Utah |
| Guevara Noubir | Northeastern University |
| Guillermo Suarez-Tangil | IMDEA Networks Institute |
| Habiba Farrukh | University of California, Irvine |
| Haoyu Wang | Huazhong University of Science and Technology |
| Harshad Sathaye | ETH Zürich |
| Haya Schulmann | Goethe-Universität Frankfurt |
| Heather Zheng | University of Chicago |
| Heng Yin | UC Riverside |
| Homa Alemzadeh | University of Virginia |
| Hongxin Hu | University at Buffalo |
| Hyungsub Kim | Purdue University & Indiana University |
| Imtiaz Karim | Purdue University |
| Jack Doerner | Brown University |
| Jaron Mink | Arizona State University |
| Jason Nieh | Columbia University |
| Jason (Minhui) Xue | CSIRO’s Data61 |
| Jeremiah Blocki | Purdue University |
| Jiarong Xing | Rice University |
| Jiska Classen | Hasso Plattner Institute |
| Jon McCune | |
| Jonas Hielscher | Ruhr University Bochum |
| Joseph Bonneau | a16z crypto research and New York University |
| Jun Han | KAIST |
| Kaihua Qin | Yale University |
| Kelsey Fulton | Colorado School of Mines |
| Kevin Borgolte | Ruhr University Bochum |
| Kevin Butler | University of Florida |
| Klaus v. Gleissenthall | VU Amsterdam |
| Kun Sun | George Mason University |
| Lorenzo Cavallaro | University College London |
| Lucianna Kiffer | ETH Zurich |
| Lucy Simko | Barnard College |
| Luyi Xing | Indiana University Bloomington |
| Man-Ki Yoon | North Carolina State University |
| Marco Squarcina | TU Wien |
| Maria Apostolaki | Princeton University |
| Marina Blanton | University at Buffalo |
| Markus Miettinen | Frankfurt University of Applied Sciences |
| Martin Henze | RWTH Aachen University & Fraunhofer FKIE |
| Matthew Jones | Block |
| Matthew Lentz | Duke University and Broadcom |
| Mauro Conti | University of Padua |
| Meera Sridhar | University of North Carolina Charlotte |
| Meng Shen | Beijing Institute of Technology |
| Michael Waidner | Technische Universität Darmstadt |
| Mohammad Islam | University of Texas at Arlington |
| Mridula Singh | CISPA Helmholtz Center for Information Security |
| Mu Zhang | University of Utah |
| Mulong Luo | The University of Texas at Austin |
| Muoi Tran | ETH Zurich |
| Murtuza Jadliwala | University of Texas at San Antonio |
| Muslum Ozgur Ozmen | Arizona State University |
| Nils Lukas | University of Waterloo |
| Ning Zhang | Washington University in St. Louis |
| Nuno Santos | INESC-ID and Instituto Superior Técnico, University of Lisbon |
| Omar Chowdhury | Stony Brook University |
| Peng Gao | Virginia Tech |
| Pramod Bhatotia | TU Munich |
| Pratik Sarkar | Supra Research |
| Pratyush Mishra | University of Pennsylvania |
| Qi Li | Tsinghua University |
| Qiang Tang | The University of Sydney |
| Qiben Yan | Michigan State University |
| Qingkai Shi | Nanjing University |
| Quinn Burke | University of Wisconsin-Madison |
| Rahul Chatterjee | University of Wisconsin-Madison |
| Ram Sundara Raman | University of Michigan |
| Ramya Jayaram Masti | Ampere Computing |
| Rei Safavi-Naini | University of Calgary |
| Ryan Sheatsley | University of Wisconsin-Madison |
| Saba Eskandarian | University of North Carolina at Chapel Hill |
| Saman Zonouz | Georgia Tech |
| Samira Mirbagher Ajorpaz | North Carolina State University |
| Sathvik Prasad | North Carolina State University |
| Sazzadur Rahaman | University of Arizona |
| Sen Chen | Tianjin University |
| Seyedhamed Ghavamnia | University of Connecticut |
| Sherman S. M. Chow | The Chinese University of Hong Kong |
| Shih-Wei Li | National Taiwan University |
| Shitong Zhu | Meta Platforms Inc. |
| Shuai Wang | Hong Kong University of Science and Technology |
| Siqi Ma | The University of New South Wales |
| Sisi Duan | Tsinghua University |
| Soheil Khodayari | CISPA Helmholtz Center for Information Security |
| Song Li | Zhejiang University |
| Srdjan Capkun | ETH Zurich |
| Sri AravindaKrishnan Thyagarajan | University of Sydney |
| Stephen Herwig | William & Mary |
| Sunil Manandhar | IBM Research |
| Sven Bugiel | CISPA Helmholtz Center for Information Security |
| Swarn Priya | Virginia Tech |
| Syed Rafiul Hussain | Pennsylvania State University |
| Tapti Palit | Purdue University |
| Teodora Baluta | National University of Singapore |
| Tianhao Wang | University of Virginia |
| Tobias Fiebig | MPI-INF |
| Trent Jaeger | UC Riverside |
| Tushar Jois | City College of New York |
| VARUN CHANDRASEKARAN | University of Illinois Urbana-Champaign |
| Varun Madathil | Yale University |
| Wajih Ul Hassan | The University of Virginia |
| Weijia He | Dartmouth College |
| Wenjing Lou | Virginia Tech |
| Xiaojing Liao | Indiana University Bloomington |
| Xinda Wang | University of Texas at Dallas |
| Xingliang Yuan | The University of Melbourne |
| Xinyu Xing | Northwestern University |
| Xusheng Xiao | Arizona State University |
| Yan Chen | Northwestern University |
| Yan Shoshitaishvili | Arizona State University |
| Yanchao Zhang | Arizona State University |
| Yaxing Yao | Virginia Tech |
| Yigitcan Kaya | UC Santa Barbara |
| Yingying Chen | Rutgers University |
| Yinxi Liu | Rochester Institute of Technology |
| Yinzhi Cao | Johns Hopkins University |
| Yizheng Chen | University of Maryland |
| Yonghwi Kwon | University of Maryland |
| Yossi Oren | Ben-Gurion University, Israel |
| Yu Ding | Google DeepMind |
| Yuan Tian | UCLA |
| Yupeng Zhang | University of Illinois Urbana Champaign |
| Yuseok Jeon | Ulsan National Institute of Science and Technology (UNIST) |
| Yuval Yarom | Ruhr University Bochum |
| Yuzhe Tang | Syracuse University |
| Z. Berkay Celik | Purdue University |
| Zane Ma | Oregon State University |
| Zhiqiang Lin | Ohio State University |
| Zhiyun Qian | University of California, Riverside |
| Zhou Li | University of California, Irvine |
| Zhuotao Liu | Tsinghua University |
| Ziming Zhao | University at Buffalo |
| Ziqi Yang | Zhejiang University |