Visible to the public Notable SoS PapersConflict Detection Enabled

To help the SoS Community be aware of the top security papers in the past year, the SoS Initiative is compiling a list of about 10-15 papers each year. This list is to help the community prioritize reading. These are just the best papers, one of us have read in the year. We're trying to keep the list short, so there will be oustanding papers missing.

2019 | 2018 | 2017 | 2016 | 2015 | 2014

2019

Link to Paper Authors Title Venue Notes
Link to Paper Joseph P. Near, David Darais, Chike Abuah, Tim Stevens, Pranav Gaddamadugu, Lun Wang, Neel Somani, Mu Zhang, Nikhil Sharma, Alex Shan, Dawn Song Duet: A Expressive Higher-Order Language and Linear Type System Statically Enforcing Differential Privacy OOPSLA 2019
Link to Paper Carmine Abate, Roberto Blanco, Deepak Garg, Catalin Hritcu, Marco Patrignani, Jeremy Thibault

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

CSF'19
Link to Paper Inken Hagestedt, Yang Zhang, Mathias Humbert, Pascal Berrang, Haixu Tang, XiaoFeng Wang, Michael Backes

MBeacon: Privacy-Preserving Beacons for DNA Methylation Data

NDSS '19
Link to Paper

John D. Ramsdell, Paul D. Rowe, Perry Alexander, Sarah C. Helble, Peter Loscocco, J. Aaron Pendergrass, Adam Petz

Orchestrating Layered Attestations

POST '19
Link to Paper Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek How well do my results generalize? Comparing security and privacy survey results from MTurk, web, and telephone samples IEEE S&P '19
Link to Paper Robert Kunnemann, Ilkan Esiyok, Michael Backes Automated Verification of Accountability in Security Protocols
IEEE CSF '19
Link to Paper Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom

Spectre Attacks: Exploiting Speculative Execution

IEEE S&P '19
Link to Paper

On the Universally Composable Security of OpenStack

Hoda Maleki, Kyle Hogan, Reza Rahaeimehr, Ran Canetti, Marten van Dijk, Jason Hennessey, Mayank Varia, Haibin Zhang IEEE SecDev '19
Link to Paper Sven Hammann, Sasa Radomirovic, Ralf Sasse, David Basin

User Account Access Graphs

ACM CCS '19
Link to Paper Joanna C. S. Santos, Adriana Sej!a, Taylor Corrello, Smruthi Gadenkanahalli and Mehdi Mirakhorli

Achilles' heel of plug-and-Play software architectures: a grounded theory based approach

ESEC/FSE '19

2018

Link Authors Title Venue Notes
Link to Paper George Klees, Andrew Ruef,
Benji Cooper,
Shiyi Wei, and
Michael Hicks
Evaluating Fuzz Testing Conference on Computer and Communications Security (CCS) 2018
Link to Paper Gilles Barthe, Benjamin Gregoirey, Vincent Laporte Secure compilation of side-channel countermeasures:
the case of cryptographic "constant-time"
2018 IEEE 31st Computer Security Foundations Symposium
Link to Paper Samuel Yeom, Irene Giacomelliy, Matt Fredrikson, Somesh Jha Privacy Risk in Machine Learning:
Analyzing the Connection to Overfitting
2018 IEEE 31st Computer Security Foundations Symposium
Link to Paper Shridatt Sugrim, Can Liu, Meghan McLean, Janne Lindqvist Robust Performance Metrics for
Authentication Systems
Network and Distributed System Security Symposium (NDSS)
Link to Paper Arthur Azevedo de Amorim, Catalin Hritcu, and Benjamin C. Pierce The Meaning of Memory Safety POST 2018: Principles of Security and Trust
Link to Paper

Isabel Wagner, David Eckhoff

Technical Privacy Metrics: A Systematic Survey ACM Computing Surveys (CSUR)
Link to Paper Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, et al Meltdown: Reading Kernel Memory from User Space 27th USENIX Security Symposium
Link to Paper

Octavian Suciu, Radu Marginean, Yigitcan Kaya, Hal Daume III, and Tudor Dumitras

When Does Machine Learning FAIL? Generalized Transferability for Evasion and
Poisoning Attacks
27th USENIX Security Symposium
Link to Paper Andrey Chudnov, Nathan Collins, Byron Cook, et al Continuous Formal Verification
of Amazon s2n
CAV 2018: Computer Aided Verification
Link to Paper Mahmood Sharif, Jumpei Urakawa, Nicolas Christin, et al Predicting Impending Exposure to Malicious Content
from User Behavior
Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
Link to Paper Elissa M. Redmiles, Ziyun Zhu, Sean Kross, Dhruv Kuchhal Asking for a Friend:
Evaluating Response Biases in Security User Studies
2018 ACM SIGSAC Conference on Computer and Communications Security

2017

Link Authors Title Venue Notes
Link to Paper Cormac Herley and Paul van Oorschot SoK: Science, Security, and the Elusive Goal of
Security as a Scientific Pursuit
2017 IEEE Symposium on Security and Privacy
Link to Paper Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clementine
Maurice, and Stefan Mangard
KASLR is Dead: Long Live KASLR ESSoS 2017: Engineering Secure Software and Systems Proposed solution, KASLR is basis for mitigation for Meltdown
Link to Paper Ozgur Kafali, Jasmine Jonesy, Megan Petrusoz, Laurie Williams, and Munindar P. Singh How Good is a Security Policy against Real
Breaches? A HIPAA Case Study
2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE)
Link to Paper Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin,
Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini,
Hana Habib, Noah Johnson,William Melicher
Design and Evaluation of a Data-Driven Password Meter 2017 CHI Conference on Human Factors in Computing Systems
Link to Paper Gilles Barthe, Sandrine Blazy, Vincent Laporte, David Pichardie and Alix Trieu Verified Translation Validation of Static Analyses 2017 IEEE 30th Computer Security Foundations Symposium
Link to Paper Tiffany Bao, Yan Shoshitaishviliy, Ruoyu Wangy, Christopher Kruegely, Giovanni Vignay, David Brumley How Shall We Play a Game?
A Game-theoretical Model for Cyber-warfare Games
2017 IEEE 30th Computer Security Foundations Symposium (CSF) Winner of SoS Paper Competition
Link to Paper Primal Wijesekera, Arjun Baokar, Lynn Tsai, Joel Reardon,
Serge Egelman, David Wagner, and Konstantin Beznosov
The Feasibility of Dynamically Granted Permissions:
Aligning Mobile Privacy with User Preferences
2017 IEEE Symposium on Security and Privacy (SP)
Link to Paper Ruba Abu-Salma,
Anastasia Danilova,
M. Angela Sasse,
Alena Naiakshina,
Joseph Bonneau, and
Matthew Smith
Obstacles to the Adoption of Secure
Communication Tools
2017 IEEE Symposium on Security and Privacy (SP)
Link to Paper Jonathan M. Spring, Tyler Moore, and David Pym Practicing a Science of Security: A Philosophy of Science Perspective 2017 New Security Paradigms Workshop Jonathan Spring presented at HoTSoS 2019

2016

Link to Paper Cormac Herley Unfalsifiability of security claims Proceedings of the National Academy of Sciences (PNAS)
Link to Paper Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, Christian Stransky You Get Where You're Looking For: The Impact of Information Sources on Code Security 2016 IEEE Symposium on Security and Privacy Winner of the SoS Paper Competition
Link to Paper Jaspreet Bhatia, Travis D. Breaux, Joel R. Reidenberg, Thomas B. Norton A Theory of Vagueness and Privacy Risk Perception 2016 IEEE International Conference on Requirements Engineering
Link to Paper Anibal Sanjab and Walid Saad Data Injection Attacks on Smart Grids with Multiple Adversaries: A Game-Theoretic Perspective IEEE Transactions on Smart Grid
Link to Paper Veronique Cortier, David Galindo, Ralf Kusters, Johannes Muller, Tomasz Truderung SoK: Verifiability Notions for E-Voting Protocols 2016 IEEE Symposium on Security and Privacy
Link to Paper Stanislaw Jarecki, Hugo Krawczyk, Maliheh Shirvanian, Nitesh Saxena Device-Enhanced Password Protocols with Optimal Online-Offline Protection 2016 Asia Conference on Computer and Communications Security
Link to Paper Mounir Assaf Stevens and David A. Naumann Calculational Design of Information Flow Monitors 2016 Computer Security Foundations Symposium
Link to Paper Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D. Breaux, and Jianwei Niu Toward a Framework for Detecting Privacy Policy Violations in Android Application Code 2016 EEE International Conference on Software Engineering
Link to Paper Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem 2016 SIGSAC Conference on Computer and Communications Security (CCS)

2015

Link to Paper Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Lei Zhou Increasing cybersecurity investments in private sector firms Journal of Cybersecurity SoS Paper Competition - Honorable Mention
Link to Paper Boulat A. Bash, Andrei H. Gheorghe, Monika Patel, Jonathan L. Habif, Dennis Goeckel, Don Towsley, & Saikat Guha Quantum-secure covert communication on bosonic channels Nature Communications SoS Paper Competition - Honorable Mention
Link to Paper Jing Chen, Christopher S. Gates, Ninghui Li, and Robert W. Proctor Influence of Risk/Safety Information Framing on Android App-Installation Decisions Journal of Cognitive Engineering and Decision Making
Link to Paper Soo-Jin Moon, Vyas Sekar, Michael K. Reiter Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration 2015 ACM Conference on Computer and Communications Security (CCS) SoS Paper Competition Winner
Link to Paper Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, Tudor Dumitras The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching 2015 IEEE Symposium on Security and Privacy
Link to Paper Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, Michael Franz Readactor: Practical Code Randomization Resilient to Memory Disclosure 2015 IEEE Symposium on Security and Privacy
Link to Paper Goran Doychev and Boris Kopf Rational Protection Against Timing Attacks 2015 Computer Security Foundations Symposium
Link to Paper Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, Stelios Sidiroglou-Douskos Control Jujutsu:On the Weaknesses of Fine-Grained Control Flow Integrity 2015 ACM Conference on Computer and Communications Security (CCS)
Link to Paper Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher and Richard Shay Measuring Real-World Accuracies and Biases in Modeling Password Guessability USENIX Security Symposium
Link to Paper Zack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, and Joshua Sunshine Evaluating the Flexibility of the Java Sandbox Annual Computer Security Applications Conference

2014

Link to Paper

Enes Gokta, Elias Athanasopoulos, Herbert Bos, Georgios Portokalidis

Out Of Control: Overcoming Control-Flow Integrity 2014 IEEE Symposium on Security and Privacy
Link to Paper

Johannes Dahse and Thorsten Holz

Static Detection of Second-Order Vulnerabilities in Web Applications

USENIX Security Symposium
Link to Paper Matthew Fredrikson, Eric Lantz, and Somesh Jha, Simon Lin, David Page and Thomas Ristenpart

Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing

USENIX Security Symposium
Link to Paper

Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, Brian Zill,

Ironclad Apps: End-to-End Security via Automated Full-System Verification

USENIX Symposium on Operating Systems Design and Implementation

Link to Paper

Ajaya Neupane, Nitesh Saxena, Keya Kuruvilla, Michael Georgescu, and Rajesh Kana

Neural Signatures of User-Centered Security: An fMRI Study of Phishing, and Malware Warnings

Network and Distributed System Security Symposium
Link to Paper Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, Michael Roe

The CHERI capability model: Revisiting RISC in an age of risk

international symposium on computer architecture
Link to Paper Saman A. Zonouz, Himanshu Khurana, William H. Sanders, and Timothy M. Yardley

RRE: A Game-Theoretic Intrusion Response and Recovery Engine

IEEE Transactions on Parallel and Distributed Systems
Link to Paper Sauvik Das, Adam D I Kramer, Laura Dabbish, Jason I Hong

Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation

2014 ACM Conference on Computer and Communications Security (CCS) SoS Paper Competitio - Honorable Mention
Link to Paper Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, Dawn Song Code-Pointer Integrity

USENIX Symposium on Operating Systems Design and Implementation

Link to Paper Hamed Okhravi, James Riordan, and Kevin Carter Quantitative Evaluation of Dynamic Platform Techniques as a Defensive Mechanism International Symposium on Research in Attacks, Intrusions, and Defenses (RAID'14) SoS Paper Competition - Honorable Mention
Link to Paper

Mario S. Alvim, Kostas Chatzikokolakis, Annabelle McIver, Carroll Morgan, Catuscia Palamidessi, Geoffrey Smith

Additive and multiplicative notions of leakage, and their capacities

2014 IEEE Computer Security Foundations Symposium SoS Paper Competition Winner