IEEE Symposium on Security and Privacy
IEEE Symposium on Security and Privacy | |
---|---|
Abbreviation | IEEE S&P, IEEE SSP |
Discipline | Computer security and privacy |
Publication details | |
Publisher | IEEE |
History | 1980–present |
Frequency | Annual |
The IEEE Symposium on Security and Privacy (IEEE S&P, IEEE SSP), also known as the Oakland Conference, is an annual conference focusing on topics related to computer security and privacy. The conference was founded in 1980 by Stan Ames and George Davida and is considered to be among the top conferences in the field.[1][2] The conference has a single track, meaning that all presentations and sessions are held sequentially in one venue. The conference also follows a double-blind review process, where both the authors' and reviewers' identities are concealed from each other to ensure impartiality and fairness during peer review process.
The conference started as a small workshop where researchers exchanged ideas on computer security and privacy, with an early emphasis on theoretical research. During these initial years, there was a divide between cryptographers and system security researchers, with cryptographers often leaving sessions focused on systems security. This issue was eventually addressed by combining cryptography and system security discussions in the same sessions. In 2011, the conference moved to San Francisco due to venue size concerns.
The conference has a low acceptance rate due to it having only a single track. The review process for the conference tends to evaluate the papers on a variety of criteria with a focus on novelty. In 2022, researchers interviewed reviewers from top security conferences like IEEE S&P and found that the review process of the conferences was exploitable due to inconsistent reviewing standards across reviewers. The reviewers recommended mentoring new reviewer with a focus on reviewing quality to mitigate this issue.
In 2021, researchers from the University of Minnesota submitted a paper to the conference where they tried to introduce bugs into the Linux kernel, a widely-used operating system component without Institutional Review Board (IRB) approval. The paper was accepted and was scheduled to be published, however, after criticism from the Linux kernel community, the authors of the paper retracted the paper and issued a public apology. In response to this incident, IEEE S&P committed to adding a ethics review step in their paper review process and improving their documentation surrounding ethics declarations in research papers.
History
[edit]The conference was initially conceived by researchers Stan Ames and George Davida in 1980 as a small workshop for discussing computer security and privacy. This workshop gradually evolved into a larger gathering within the field. Held initially at Claremont Resort, the first few iterations of the event witnessed a division between cryptographers and systems security researchers. Discussions during these early iterations predominantly focused on theoretical research, neglecting practical implementation considerations.[3] This division persisted, to the extent that cryptographers would often leave sessions focused on systems security topics.[4] In response, subsequent iterations of the conference integrated panels that encompassed both cryptography and systems security discussions within the same sessions. Over time, the conference's attendance grew, leading to a relocation to San Francisco in 2011 due to venue capacity limitations.[3]
Structure
[edit]IEEE Symposium on Security and Privacy considers papers from a wide range of topics related to computer security and privacy. Every year, a list of topics of interest is published by the program chairs of the conference which changes based on the trends in the field. In past meetings, IEEE Symposium on Security and Privacy have considered papers from topics like web security, online abuse, blockchain security, hardware security, malware analysis and artificial intelligence.[5] The conference follows a single-track model for its proceedings, meaning only one session takes place at any given time. This approach deviates from the multi-track format commonly used in other security and privacy conferences, where multiple sessions on different topics run concurrently.[3] Papers submitted for consideration to the conference reviewed using a double-blind process to ensure fairness.[6] However, this model constrains the conference in the number of papers it can accept, resulting in a low acceptance rate often in the single digits, unlike conferences which may have rates in the range of 15 to 20 percent.[3] In 2023, IEEE Symposium on Security and Privacy introduced a Research Ethics Committee that would screen papers submitted to the conference and flag instances of potential ethical violations in the submitted papers.[7]
In 2022, a study conducted by Ananta Soneji et al. showed that review processes of top security conferences, including the IEEE Symposium on Security and Privacy were exploitable. The researchers interviewed 21 reviewers about the criteria they used to judge papers during the review process. Among these reviewers, 19 identified novelty—whether the paper advanced the research problem or the state of the art—as their primary criterion. Nine reviewers also emphasized the importance of technical soundness in the implementation, while seven mentioned the need for a self-contained and complete evaluation, ensuring all identified areas were thoroughly explored. Additionally, six reviewers highlighted the importance of clear and effective writing in their assessments. Based on these interviews, the researchers identified a lack of objective criteria for paper evaluation and noted a degree of randomness among reviews provided by conference reviewers as the major weaknesses of the peer review process used by the conferences. To remediate this, the researchers recommended mentoring new reviewers with a focus on enhancing review quality rather than other productivity metrics. They acknowledged an initiative by IEEE S&P allowing PhD students and postdoctoral researchers to shadow reviewers on the program committee but also pointed out findings from a 2017 report suggesting that these students tended to be more critical in their assessments compared to experienced reviewers since they were not graded on review quality.[2]
Controversy
[edit]In 2021, researchers from the University of Minnesota submitted a paper titled "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"[8] to the 42nd iteration of a conference.[9][10] They aimed to highlight vulnerabilities in the review process of Linux kernel patches, and the paper was accepted for presentation in 2021.[10] The Linux kernel is a widely used open-source operating system component that forms the core of the Linux operating system,[8] which is a popular choice in servers and in consumer-oriented devices like the Steam Deck,[11] Android and ChromeOS.[12] Their methods involved writing patches for existing trivial bugs in the Linux kernel in ways such that they intentionally introduced security bugs into the software.[13] Four patches were submitted by the researchers under pseudonyms, three of which were rejected by their respective code reviewers who correctly identified the buggy code.[14] The fourth patch was merged, however, during a subsequent investigation it was found that the researchers had misunderstood the way the code worked and had submitted a valid fix.[15] This attempt at including bugs was done without Institutional Review Board (IRB) approval.[16][15] Despite undergoing review by the conference, this breach of ethical responsibilities was not detected during the paper's review process.[10] This incident sparked criticism from the Linux community and the broader cybersecurity community.[16][17][18] Greg Kroah-Hartman, one of the lead maintainers of the kernel, banned both the researchers and the university from making further contributions to the Linux project, ultimately leading the authors and the university to retract the paper[8] and issue an apology to the community of Linux kernel developers.[9][18] In response to this incident, IEEE S&P committed to adding a ethics review step in their paper review process and improving their documentation surrounding ethics declarations in research papers.[10]
References
[edit]- ^ Carver, Jeffrey C.; Burcham, Morgan; Kocak, Sedef Akinli; Bener, Ayse; Felderer, Michael; Gander, Matthias; King, Jason; Markkula, Jouni; Oivo, Markku; Sauerwein, Clemens; Williams, Laurie (2016-04-19). "Establishing a baseline for measuring advancement in the science of security: An analysis of the 2015 IEEE security & privacy proceedings". Proceedings of the Symposium and Bootcamp on the Science of Security. ACM. pp. 38–51. doi:10.1145/2898375.2898380. ISBN 978-1-4503-4277-3.
- ^ a b Soneji, Ananta; Kokulu, Faris Bugra; Rubio-Medrano, Carlos; Bao, Tiffany; Wang, Ruoyu; Shoshitaishvili, Yan; Doupé, Adam (2022-05-01). ""Flawed, but like democracy we don't have a better system": The Experts' Insights on the Peer Review Process of Evaluating Security Papers". 2022 IEEE Symposium on Security and Privacy (SP). IEEE. pp. 1845–1862. doi:10.1109/SP46214.2022.9833581. ISBN 978-1-6654-1316-9.
- ^ a b c d Neumann, Peter G.; Peisert, Sean; Schaefer, Marvin (2014-05-01). "The IEEE Symposium on Security and Privacy, in Retrospect". IEEE Security & Privacy. 12 (3): 15–17. doi:10.1109/MSP.2014.59. ISSN 1540-7993.
- ^ Neumann, Peter G.; Bishop, Matt; Peisert, Sean; Schaefer, Marv (2010). "Reflections on the 30th Anniversary of the IEEE Symposium on Security and Privacy". 2010 IEEE Symposium on Security and Privacy. IEEE. pp. 3–13. doi:10.1109/sp.2010.43. ISBN 978-1-4244-6894-2.
- ^ "IEEE Symposium on Security and Privacy 2023". sp2023.ieee-security.org. Retrieved 2024-08-25.
- ^ "IEEE Symposium on Security and Privacy 2024". sp2024.ieee-security.org. Retrieved 2024-05-06.
- ^ "Message from the Program Chairs". 2023 IEEE Symposium on Security and Privacy (SP). IEEE. 2023-05-01. pp. 34–35. doi:10.1109/SP46215.2023.10179462. ISBN 978-1-6654-9336-9.
- ^ a b c Chin, Monica (2021-04-30). "How a university got itself banned from the Linux kernel". The Verge. Retrieved 2024-05-12.
- ^ a b Salter, Jim (2021-04-26). "Linux kernel team rejects University of Minnesota researchers' apology". Ars Technica. Retrieved 2024-05-12.
- ^ a b c d "IEEE S&P'21 Program Committee Statement Regarding The "Hypocrite Commits" Paper" (PDF). IEEE SSP. 6 May 2021. Retrieved 22 August 2024.
- ^ Dexter, Alan (2021-08-09). "This is why Valve is switching from Debian to Arch for Steam Deck's Linux OS". PC Gamer. Retrieved 2024-08-25.
- ^ "Linux has over 3% of the desktop market? It's more complicated than that". ZDNET. Retrieved 2024-08-25.
- ^ "Greg Kroah-Hartman bans University of Minnesota from Linux development for deliberately buggy patches". ZDNET. Retrieved 2024-05-12.
- ^ "An update on the UMN affair [LWN.net]". lwn.net. Retrieved 2024-08-22.
- ^ a b "Report on University of Minnesota Breach-of-Trust Incident - Kees Cook". lore.kernel.org. Retrieved 2024-08-22.
- ^ a b "The Linux Foundation's demands to the University of Minnesota for its bad Linux patches security project". ZDNET. Retrieved 2024-05-12.
- ^ "Intentionally buggy commits for fame—and papers [LWN.net]". lwn.net. Retrieved 2024-08-22.
- ^ a b "University of Minnesota security researchers apologize for deliberately buggy Linux patches". ZDNET. Retrieved 2024-08-22.