Notable SoS Papers
To help the SoS Community be aware of the top security papers in the past year, the SoS Initiative is compiling a list of about 10-15 papers each year. This list is to help the community prioritize reading. These are just the best papers, one of us have read in the year. We're trying to keep the list short, so there will be oustanding papers missing.
2023 |2022 |2021 |2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014
2023
| Author(s) Name(s) | Nominated Paper Title | Venue Previously Published | |
| Alexandra Nisenoff, Maximilian Golla, Miranda Wei, Juliette Hainline, Hayley Szymanek, Annika Braun, Annika Hildebrandt, Blair Christensen, David Langenberg, Blase Ur | A Two-Decade Retrospective Analysis of a University's Vulnerability to Attacks Exploiting Reused Passwords | USENIX Security 2023 | |
| Shawn Shan, Jenna Cryan, Emily Wenger, Haitao Zheng, Rana Hanocka, and Ben Y. Zhao | Glaze: Protecting Artists from Style Mimicry by Text-to-Image Models | USENIX Security 2023 | |
| Boxin Wang, Weixin Chen, Hengzhi Pei, Chulin Xie, Mintong Kang, Chenhui Zhang, Chejian Xu, Zidi Xiong, Ritik Dutta, Rylan Schaeffer, Sang T. Truong, Simran Arora, Mantas Mazeika, Dan Hendrycks, Zinan Lin, Yu Cheng, Sanmi Koyejo, Dawn Song, Bo Li | DecodingTrust: Comprehensive Assessment of Trustworthiness in GPT Models | NeurIPS 2023 | Winner of NSA Paper Competition |
| Anna-Marie Ortloff, Christian Tiefenau, Matthew Smith | SoK: I Have the (Developer) Power! Sample Size Estimation for Fisher's Exact, Chi-Squared, McNemar's, Wilcoxon Rank-Sum, Wilcoxon Signed-Rank and t-tests in Developer-Centered Usable Security | SOUPS 2023 | Honorable Mention of NSA Paper Competition |
| Tadayoshi Kohno, Yasemin Acar, Wulf Loh | Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations | USENIX Security 2023 | Honorable Mention of NSA Paper Competition |
| Fnu Suya, Xiao Zhang, Yuan Tian, and David Evans | What Distributions are Robust to Indiscriminate Poisoning Attacks for Linear Learners? | NeurIPS 2023 | |
| Francesco Ciclosi; Fabio Massacci | The Data Protection Officer: A Ubiquitous Role That No One Really Knows | IEEE Security & Privacy Magazine | |
| Tomas Hlavacek, Haya Schulmann, Niklas Vogel, Michael Waidner | Keep Your Friends Close, but Your Routeservers Closer: Insights into RPKI Validation in the Internet | USENISX Security 2023 |
2022
| Author(s) Name(s) | Nominated Paper Title | Venue Previously Published | |
| Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallarok, Konrad Rieck | Dos and Don'ts of Machine Learning in Computer Security | USENIX Security 2022 | |
| Ning Luo, Timos Antonopoulos, William Harris, Ruzica Piskac, Eran Tromer, and Xiao Wang | Proving UNSAT in Zero Knowledge | CCS '22 | |
| David Baelde, Stephanie Delaune, Adrien Koutsos, and Solène Moreau | Cracking the Stateful Nut -- Computational Proofs of Stateful Security Protocols using the Squirrel Proof Assistant | IEEE S&P '23 | |
| David Heath, Vladimir Kolesnikov, and Rafail Ostrovsky | EpiGRAM: Practical Garbled RAM | EUROCRYPT 2022 | |
| Brian Kondracki, Johnny So, Nick Nikiforakis | Uninvited Guests: Analyzing the Identity and Behavior of Certificate Transparency Bots | USENIX Security 2022 | NSA Best Paper Award Winner |
2021
| Author(s) Name(s) | Nominated Paper Title | Venue Previously Published | |
| Boston, Brett & Breese, Samuel & Dodds, Josiah & Dodds, Mike & Huffman, Brian & Petcher, Adam & Stefanescu, Andrei | Verified Cryptographic Code for Everybody | 33rd International Conference on Computer-Aided Verification | |
| Leslie Lamport and Fred B. Schneider | Verifying Hyperproperties with TLA | IEEE Computer Security Foundations Symposium | Winner of Paper Competition |
| Shih-Wei Li, Xupeng Li, Ronghui Gu, Jason Nieh, and John Zhuang Hui | A Secure and Formally Verified Linux KVM Hypervisor | 2021 IEEE Symposium on Security and Privacy | |
| L.Cheng, S. Ahmed, H. Liljestrand, T. Nyman, H. Cai, T. Jaeger, N. Asokan, D Yao | Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense Approaches | ACM TOPS | |
| Liwei Song and Prateek Mittal | Systematic Evaluation of Privacy Risks of Machine Learning Models | USENIX Security 21 | |
| Yu-Tsung Lee | PolyScope: Multi-Policy Access Control Analysis to Compute Authorized Attack Operations in Android Systems | USENIX Security 21 | |
| Alaa Daffalla, Lucy Simko, Tadayoshi Kohno, and Alexandru G. Bardas | Defensive Technology Use by Political Activists During the Sudanese Revolution | IEEE Symposium on Security and Privacy (Oakland) and later IEEE Security & Privacy | Honorable Mention of Paper Competition |
2020
| Author(s) Name(s) | Paper Title | Venue Previously Published | Notes |
| Yanyi Liu and Rafel Pass | On One-way Functions and Kolmogorov Complexity | FOCS 2020 | Winner of Paper Competition |
| Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, Deian Stefan | Retrofitting Fine Grain Isolation in the Firefox Renderer | 29th USENIX Security Symposium (USENIX Security '20) | Honorable Mention of Paper Competition |
| Ivan De Oliveira Nunes , Karim Eldefrawy, Norrathep Rattanavipanon, and Gene Tsudik | APEX: A Verified Architecture for Proofs of Execution on Remote Devices under Full Software Compromise | Usenix Security 2020 | |
| Sauvik Das | Blind and Human: Exploring More Usable Audio CAPTCHA Designs | SOUPS2020 | |
| Qasim Lone (TU Delft), Maciej Korczy_ski (Univ. Grenoble Alpes), Carlos H. Gañán (TU Delft), Michel van Eeten (TU Delft) | SAVing the Internet: Explaining the Adoption of Source Address Validation by Internet Service Providers | WEIS 2020 | |
| Freek Verbeek, Joshua A. Bockenek, and Binoy Ravindran | Highly Automated Formal Proofs over Memory Usage of Assembly Code | 26th International Conference, TACAS 2020 (Int’l Conf. on Tools and Algorithms for the Construction and Analysis of Systems), | |
| Isaac Polinsky, Kyle Martin, William Enck, Michael Reiter | n-m-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications | CODASPY 2020 | |
| Tim Nosco | The Industrial Age of Hacking | ||
| Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez | An Analysis of Pre-Installed Android Software | IEEE Symposium on Security and Privacy (2020) |
2019
| Link to Paper | Authors | Title | Venue | Notes |
| Link to Paper | Joseph P. Near, David Darais, Chike Abuah, Tim Stevens, Pranav Gaddamadugu, Lun Wang, Neel Somani, Mu Zhang, Nikhil Sharma, Alex Shan, Dawn Song | Duet: A Expressive Higher-Order Language and Linear Type System Statically Enforcing Differential Privacy | OOPSLA 2019 | |
| Link to Paper | Carmine Abate, Roberto Blanco, Deepak Garg, Catalin Hritcu, Marco Patrignani, Jérémy Thibault | Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation | CSF'19 | |
| Link to Paper | Inken Hagestedt, Yang Zhang, Mathias Humbert, Pascal Berrang, Haixu Tang, XiaoFeng Wang, Michael Backes | MBeacon: Privacy-Preserving Beacons for DNA Methylation Data | NDSS '19 | |
| Link to Paper | John D. Ramsdell, Paul D. Rowe, Perry Alexander, Sarah C. Helble, Peter Loscocco, J. Aaron Pendergrass, Adam Petz | Orchestrating Layered Attestations | POST '19 | |
| Link to Paper | Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek | How well do my results generalize? Comparing security and privacy survey results from MTurk, web, and telephone samples | IEEE S&P '19 | |
| Link to Paper | Robert Künnemann, Ilkan Esiyok, Michael Backes | Automated Verification of Accountability in Security Protocols | IEEE CSF '19 | |
| Link to Paper | Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom | Spectre Attacks: Exploiting Speculative Execution | IEEE S&P '19 | Winner of SoS Paper Competition |
| Link to Paper | On the Universally Composable Security of OpenStack | Hoda Maleki, Kyle Hogan, Reza Rahaeimehr, Ran Canetti, Marten van Dijk, Jason Hennessey, Mayank Varia, Haibin Zhang | IEEE SecDev '19 | |
| Link to Paper | Sven Hammann, Saša Radomirović, Ralf Sasse, David Basin | User Account Access Graphs | ACM CCS '19 | |
| Link to Paper | Joanna C. S. Santos, Adriana Sej!a, Taylor Corrello, Smruthi Gadenkanahalli and Mehdi Mirakhorli | Achilles’ heel of plug-and-Play software architectures: a grounded theory based approach | ESEC/FSE '19 |
2018
| Link | Authors | Title | Venue | Notes |
| Link to Paper | George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks | Evaluating Fuzz Testing | Conference on Computer and Communications Security (CCS) 2018 | Winner of SoS Paper Competition |
| Link to Paper | Gilles Barthe, Benjamin Grégoirey, Vincent Laporte | Secure compilation of side-channel countermeasures: the case of cryptographic “constant-time” | 2018 IEEE 31st Computer Security Foundations Symposium | |
| Link to Paper | Samuel Yeom, Irene Giacomelliy, Matt Fredrikson, Somesh Jha | Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting | 2018 IEEE 31st Computer Security Foundations Symposium | |
| Link to Paper | Shridatt Sugrim, Can Liu, Meghan McLean, Janne Lindqvist | Robust Performance Metrics for Authentication Systems | Network and Distributed System Security Symposium (NDSS) | |
| Link to Paper | Arthur Azevedo de Amorim, Catalin Hritcu, and Benjamin C. Pierce | The Meaning of Memory Safety | POST 2018: Principles of Security and Trust | |
| Link to Paper | Isabel Wagner, David Eckhoff | Technical Privacy Metrics: A Systematic Survey | ACM Computing Surveys (CSUR) | |
| Link to Paper | Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, et al | Meltdown: Reading Kernel Memory from User Space | 27th USENIX Security Symposium | Honorable Mention of SoS Paper Competition |
| Link to Paper | Octavian Suciu, Radu Marginean, Yigitcan Kaya, Hal Daume III, and Tudor Dumitras | When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks | 27th USENIX Security Symposium | |
| Link to Paper | Andrey Chudnov, Nathan Collins, Byron Cook, et al | Continuous Formal Verification of Amazon s2n | CAV 2018: Computer Aided Verification | Honorable Mention of SoS PAper Competition |
| Link to Paper | Mahmood Sharif, Jumpei Urakawa, Nicolas Christin, et al | Predicting Impending Exposure to Malicious Content from User Behavior | Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security | |
| Link to Paper | Elissa M. Redmiles, Ziyun Zhu, Sean Kross, Dhruv Kuchhal | Asking for a Friend: Evaluating Response Biases in Security User Studies | 2018 ACM SIGSAC Conference on Computer and Communications Security |
2017
| Link | Authors | Title | Venue | Notes |
| Link to Paper | Cormac Herley and Paul van Oorschot | SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit | 2017 IEEE Symposium on Security and Privacy | |
| Link to Paper | Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clementine Maurice, and Stefan Mangard | KASLR is Dead: Long Live KASLR | ESSoS 2017: Engineering Secure Software and Systems | Proposed solution, KASLR is basis for mitigation for Meltdown |
| Link to Paper | Ozgur Kafalı, Jasmine Jonesy, Megan Petrusoz, Laurie Williams, and Munindar P. Singh | How Good is a Security Policy against Real Breaches? A HIPAA Case Study | 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE) | |
| Link to Paper | Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson,William Melicher | Design and Evaluation of a Data-Driven Password Meter | 2017 CHI Conference on Human Factors in Computing Systems | |
| Link to Paper | Gilles Barthe, Sandrine Blazy, Vincent Laporte, David Pichardie and Alix Trieu | Verified Translation Validation of Static Analyses | 2017 IEEE 30th Computer Security Foundations Symposium | |
| Link to Paper | Tiffany Bao, Yan Shoshitaishviliy, Ruoyu Wangy, Christopher Kruegely, Giovanni Vignay, David Brumley | How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games | 2017 IEEE 30th Computer Security Foundations Symposium (CSF) | Winner of SoS Paper Competition |
| Link to Paper | Primal Wijesekera, Arjun Baokar, Lynn Tsai, Joel Reardon, Serge Egelman, David Wagner, and Konstantin Beznosov | The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences | 2017 IEEE Symposium on Security and Privacy (SP) | |
| Link to Paper | Ruba Abu-Salma, Anastasia Danilova, M. Angela Sasse, Alena Naiakshina, Joseph Bonneau, and Matthew Smith | Obstacles to the Adoption of Secure Communication Tools | 2017 IEEE Symposium on Security and Privacy (SP) | |
| Link to Paper | Jonathan M. Spring, Tyler Moore, and David Pym | Practicing a Science of Security: A Philosophy of Science Perspective | 2017 New Security Paradigms Workshop | Jonathan Spring presented at HoTSoS 2019 |
2016
| Link to Paper | Cormac Herley | Unfalsifiability of security claims | Proceedings of the National Academy of Sciences (PNAS) | |
| Link to Paper | Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, Christian Stransky | You Get Where You’re Looking For: The Impact of Information Sources on Code Security | 2016 IEEE Symposium on Security and Privacy | Winner of the SoS Paper Competition |
| Link to Paper | Jaspreet Bhatia, Travis D. Breaux, Joel R. Reidenberg, Thomas B. Norton | A Theory of Vagueness and Privacy Risk Perception | 2016 IEEE International Conference on Requirements Engineering | |
| Link to Paper | Anibal Sanjab and Walid Saad | Data Injection Attacks on Smart Grids with Multiple Adversaries: A Game-Theoretic Perspective | IEEE Transactions on Smart Grid | |
| Link to Paper | Veronique Cortier, David Galindo, Ralf Kusters, Johannes Muller, Tomasz Truderung | SoK: Verifiability Notions for E-Voting Protocols | 2016 IEEE Symposium on Security and Privacy | |
| Link to Paper | Stanislaw Jarecki, Hugo Krawczyk, Maliheh Shirvanian, Nitesh Saxena | Device-Enhanced Password Protocols with Optimal Online-Offline Protection | 2016 Asia Conference on Computer and Communications Security | |
| Link to Paper | Mounir Assaf Stevens and David A. Naumann | Calculational Design of Information Flow Monitors | 2016 Computer Security Foundations Symposium | |
| Link to Paper | Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D. Breaux, and Jianwei Niu | Toward a Framework for Detecting Privacy Policy Violations in Android Application Code | 2016 EEE International Conference on Software Engineering | |
| Link to Paper | Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson | Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem | 2016 SIGSAC Conference on Computer and Communications Security (CCS) |
2015
| Link to Paper | Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Lei Zhou | Increasing cybersecurity investments in private sector firms | Journal of Cybersecurity | SoS Paper Competition - Honorable Mention |
| Link to Paper | Boulat A. Bash, Andrei H. Gheorghe, Monika Patel, Jonathan L. Habif, Dennis Goeckel, Don Towsley, & Saikat Guha | Quantum-secure covert communication on bosonic channels | Nature Communications | SoS Paper Competition - Honorable Mention |
| Link to Paper | Jing Chen, Christopher S. Gates, Ninghui Li, and Robert W. Proctor | Influence of Risk/Safety Information Framing on Android App-Installation Decisions | Journal of Cognitive Engineering and Decision Making | |
| Link to Paper | Soo-Jin Moon, Vyas Sekar, Michael K. Reiter | Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration | 2015 ACM Conference on Computer and Communications Security (CCS) | SoS Paper Competition Winner |
| Link to Paper | Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, Tudor Dumitras | The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching | 2015 IEEE Symposium on Security and Privacy | |
| Link to Paper | Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, Michael Franz | Readactor: Practical Code Randomization Resilient to Memory Disclosure | 2015 IEEE Symposium on Security and Privacy | |
| Link to Paper | Goran Doychev and Boris Kopf | Rational Protection Against Timing Attacks | 2015 Computer Security Foundations Symposium | |
| Link to Paper | Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, Stelios Sidiroglou-Douskos | Control Jujutsu:On the Weaknesses of Fine-Grained Control Flow Integrity | 2015 ACM Conference on Computer and Communications Security (CCS) | |
| Link to Paper | Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher and Richard Shay | Measuring Real-World Accuracies and Biases in Modeling Password Guessability | USENIX Security Symposium | |
| Link to Paper | Zack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, and Joshua Sunshine | Evaluating the Flexibility of the Java Sandbox | Annual Computer Security Applications Conference |
2014
| Link to Paper | Enes Gökta, Elias Athanasopoulos, Herbert Bos, Georgios Portokalidis | Out Of Control: Overcoming Control-Flow Integrity | 2014 IEEE Symposium on Security and Privacy | |
| Link to Paper | Johannes Dahse and Thorsten Holz | Static Detection of Second-Order Vulnerabilities in Web Applications | USENIX Security Symposium | |
| Link to Paper | Matthew Fredrikson, Eric Lantz, and Somesh Jha, Simon Lin, David Page and Thomas Ristenpart | Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing | USENIX Security Symposium | |
| Link to Paper | Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, Brian Zill, | Ironclad Apps: End-to-End Security via Automated Full-System Verification | USENIX Symposium on Operating Systems Design and Implementation | |
| Link to Paper | Ajaya Neupane, Nitesh Saxena, Keya Kuruvilla, Michael Georgescu, and Rajesh Kana | Neural Signatures of User-Centered Security: An fMRI Study of Phishing, and Malware Warnings | Network and Distributed System Security Symposium | |
| Link to Paper | Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, Michael Roe | The CHERI capability model: Revisiting RISC in an age of risk | international symposium on computer architecture | |
| Link to Paper | Saman A. Zonouz, Himanshu Khurana, William H. Sanders, and Timothy M. Yardley | RRE: A Game-Theoretic Intrusion Response and Recovery Engine | IEEE Transactions on Parallel and Distributed Systems | |
| Link to Paper | Sauvik Das, Adam D I Kramer, Laura Dabbish, Jason I Hong | Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation | 2014 ACM Conference on Computer and Communications Security (CCS) | SoS Paper Competitio - Honorable Mention |
| Link to Paper | Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, Dawn Song | Code-Pointer Integrity | USENIX Symposium on Operating Systems Design and Implementation | |
| Link to Paper | Hamed Okhravi, James Riordan, and Kevin Carter | Quantitative Evaluation of Dynamic Platform Techniques as a Defensive Mechanism | International Symposium on Research in Attacks, Intrusions, and Defenses (RAID’14) | SoS Paper Competition - Honorable Mention |
| Link to Paper | Mario S. Alvim, Kostas Chatzikokolakis, Annabelle McIver, Carroll Morgan, Catuscia Palamidessi, Geoffrey Smith | Additive and multiplicative notions of leakage, and their capacities | 2014 IEEE Computer Security Foundations Symposium | SoS Paper Competition Winner |