WOOT '24 Call for Papers

Overview

The USENIX WOOT Conference brings together both academics and practitioners in the field of offensive security research. Occurring annually since 2007, when it was founded as the Workshop On Offensive Technologies, WOOT has become the top venue for collaboration between academia, independent hackers, and industry participants on offensive research. As offensive security has changed over the years to become a large-scale operation managed by well-capitalized actors, WOOT has consistently attracted a range of high-quality, peer-reviewed work from academia and industry on novel attacks, state-of-the-art tools, and offensive techniques. In 2024, WOOT becomes the USENIX WOOT Conference On Offensive Technologies with formal proceedings.

WOOT '24 welcomes submissions from academia, independent researchers, students, hackers, and industry. Two different submission tracks are available—an "academic" track for those intending to submit complete formal academic papers and a "practitioner" track for researchers who may be less familiar with academic procedures and may desire assistance writing a paper or just additional feedback and reviews, while believing that the community would benefit from their research being published in the more formal and complete form of a short paper.

Papers that have been formally reviewed and accepted will be presented during the WOOT conference and published in the formal proceedings. By submitting a paper, you agree that at least one of the authors will register for and attend the conference to present it.

Practitioner Track

Paper submissions due: Tuesday, February 20, 2024, 11:59 pm AoE Tuesday, March 5, 2024, 11:59 pm AoE
Final papers due: Thursday, May 23, 2024

Are you planning to give a cool talk on cutting-edge offensive security research at Black Hat, DEF CON, or another non-academic venue in 2024? Or do you have existing work that you think deserves publication in a more formal and complete form? Consider submitting to WOOT '24!

The practitioner track is intended for researchers with non-academic backgrounds and aims to provide more detailed feedback—or, where needed, one-to-one assistance from a "shepherd"—to help researchers transform their research into a complete paper that will be part of the scientific record. Just as with the academic track, all these papers will go through a peer-review process, and accepted papers will be published in WOOT's formal conference proceedings. To ensure that we can meet the deadlines for this process, we expect researchers to respond to feedback quickly and be willing and able to submit an updated, complete paper (with the assistance of a shepherd, if needed) within weeks of receiving feedback. Acceptance of final papers may be subject to shepherd approval. This track is a new experiment this year, so it will also be a learning experience for us!

We expect initial submissions to the Practitioner track to describe finished research in as much detail as possible. Submissions can be in any reasonable form (e.g., plain text, Markdown, Word, or LaTeX) and should consist of a draft paper or detailed write up. Submissions can be supported with slides, notes, code, or other material. The peer review process is double-blind, so submissions should be anonymous where possible; i.e., we request that you avoid any mention of author/group names and avoid obvious indications of who the authors are (e.g., references to previous work should be in the third person).

Authors of accepted papers are expected to continue to work with their shepherds (where relevant) to improve their papers. We expect final papers (after shepherd approval) to adhere to similar requirements to the academic track (see below), and be in the form of a short paper (up to 6 pages, plus a bibliography and appendices). WOOT also encourages the submission of "artifacts"—such as source code, documentation, and supporting data—to accompany an accepted paper.

Please contact the program co-chairs at woot24chairs@usenix.org with any questions related to these requirements.

Academic "Classic" Track

Paper submissions due: Tuesday, March 12, 2024, 11:59 pm AoE
Final papers due: Thursday, May 30, 2024

The academic track is aimed at researchers who are already familiar with the academic review process and plan to submit a complete formal academic paper. Of course, we welcome submissions to this track from anyone—not just academics. Papers should be succinct but thorough in presenting the work. Submissions should be finished, complete papers, and should not have significant editorial problems. The contribution needs to be well motivated, clearly exposed, and compared to the state of the art. All paper submissions should be at most 13 pages, excluding the bibliography and any clearly marked appendices. Submissions should be double-blind, i.e., anonymized and avoiding obvious self-references. Acceptance of final papers may be subject to shepherd approval.

Papers should be typeset on U.S. letter-sized pages in two-column format in 10-point Times Roman type on 12-point leading (single-spaced), in a text block 7" x 9" deep. Authors should use USENIX's LaTeX template and style files when preparing the paper for submission. Failure to adhere to the page limit and formatting requirements can be grounds for rejection.

Topics

Submissions should reflect the state of the art in offensive computer security technology, exposing poorly understood mechanisms, presenting novel attacks, highlighting the limitations of published attacks and defenses, or surveying the state of offensive operations at scale. WOOT '24 accepts papers in both an academic security context and more applied work that informs the field about the state of security practice in offensive techniques. The goal for these submissions is to produce published works that will guide future work in the field. Submissions will be peer-reviewed and shepherded as appropriate.

Submission topics include, but are not limited to, practical attacks on and offensive research into:

• Hardware, including embedded devices, physical attacks, cyber-physical systems, the "Internet of Things," and software-based exploitation of hardware vulnerabilities
• Web security, as well as browser and general client-side security (such as runtimes, JITs, and sandboxing)
• Machine Learning, LLMs and other artificial intelligence topics
• Operating system and hypervisor security
• Application security
• Network and distributed systems, including virtualization and the cloud
• Malware design, implementation and analysis, including (de)obfuscation and sandboxing
• Mitigations, their weaknesses, and how they can be (automatically) bypassed
• Innovative approaches for software security testing, such as fuzzing for novel targets
• Privacy and social issues
• Security of decentralized finance, smart contracts, and blockchain
• Practical attacks on deployed cryptographic systems
• Offensive applications of formal methods (such as solvers and symbolic execution)

"Systemization of Knowledge" (SoK) papers that evaluate, systematize, and contextualize existing knowledge are also encouraged. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems.

Ethical Considerations and Vulnerability Disclosure

We expect authors to carefully consider and address the potential harms associated with carrying out their research, as well as the potential negative consequences that could stem from publishing their work. Failure to do so may result in the rejection of a submission regardless of its quality and scientific value. Where relevant, papers should include a clear statement about why the benefit of the research outweighs the harms and how the authors have taken measures and followed best practices to ensure safety and minimize the potential harms caused by their research. This includes but is not limited to, considering the impact of your research on deployed systems, understanding the costs your research imposes on others, safely and appropriately collecting data, and following responsible disclosure.

In particular, if the submission deals with vulnerabilities (e.g., software vulnerabilities in a given program or design weaknesses in a hardware system), the authors need to discuss in detail the steps they have already taken or plan to take to address these vulnerabilities (e.g., by disclosing vulnerabilities to the vendors). When disclosure is necessary, authors should include a statement within their submission and/or final paper about steps taken to fulfill the goal of disclosure.

Final versions of accepted submissions should include all sources of funding in an acknowledgments section. Authors should also disclose any affiliations, interests, or other facts that might be relevant to readers seeking to interpret the work and its implications. Authors may wish to consider the 2023 IEEE S&P Financial Conflicts Policy for examples.

Conflicts of Interest

Program committee members who have conflicts of interest with a paper, including program co-chairs, will be excluded from the review, discussion, and evaluation of that paper where possible. During the submission process, we will ask authors to identify members of the program committee with whom they share a conflict of interest. This should include (1) anyone who shares an institutional affiliation with an author at the time of submission (including secondary affiliations and consulting work), (2) anyone who was the academic advisor or advisee of an author at any time in the past, (3) anyone the author has collaborated or published within the prior two years, (4) anyone who is affiliated with a party that funds your research, or (5) close personal relationships. For other forms of conflict, authors must contact the chairs and explain the perceived conflict.

Artifact Evaluation

All authors of accepted papers are encouraged to submit supporting artifacts (e.g., source code allowing research to be reproduced) alongside their final submissions. Each submitted artifact will be reviewed by the Artifact Evaluation Committee (AEC).

Submission Instructions

All submissions should be made online via the HotCRP submission form. We will not accept submissions via any other method.

All submissions will be judged on originality, relevance, correctness, and clarity. In addition to citing relevant published work, authors should relate their submission to any other relevant submissions of theirs in other academic venues that are under review at the same time as their submission to the conference. These citations to simultaneously submitted papers should be anonymized; non-anonymous versions of these citations should, however, be emailed to the program co-chairs at woot24chairs@usenix.org. Simultaneous submission of the same work to multiple academic venues, submission of previously published work, or plagiarism constitutes dishonesty or fraud. Failure to point out and explain overlap will be grounds for rejection. USENIX, like other scientific and technical conferences and journals, prohibits these practices and may take action against authors who have committed them. See the USENIX Conference Submissions Policy for details.

Note that work presented by the authors at industry conferences, such as Black Hat, is not considered to have been "previously published" for the purposes of WOOT '24. We strongly encourage the submission of such work to WOOT '24, particularly work that is well suited to a more formal and complete treatment in a published, peer-reviewed setting. In your submission, please note any previous or planned presentations of the work.

The program committee and external reviewers are required to treat all submissions as confidential. However, the program co-chairs or designated committee members may share submissions outside the program committee to allow chairs of other conferences to identify dual submissions. Papers that do not comply with the submission requirements, including length and anonymity, or that do not have a clear application to offensive security may be rejected without review. Papers accompanied by nondisclosure agreement forms will not be considered. Accepted submissions will be treated as confidential prior to publication on the WOOT '24 website; rejected submissions will be permanently treated as confidential.

As part of USENIX's open access policy, all papers will be available online before the conference. If your accepted paper should not be published prior to the event, please notify production@usenix.org after you submit your final accepted paper. USENIX also allows authors to retain ownership of the copyright in their works, requesting only that USENIX be granted the right to be the first publisher of that work. See our sample consent form for the complete terms of publication.

If the conference registration fee will pose a hardship for the presenter of an accepted paper, please contact conference@usenix.org.

Any other questions related to the submission process may be sent to the program co-chairs at woot24chairs@usenix.org; please reach out as soon as possible, since it may not be possible to answer late questions prior to the submission deadlines.