Sean Oesch

Degree: PhD

Advisor: Scott Ruoti

Email: toesch1@vols.utk.edu
Address: Min H. Kao Building, Room 339
1520 Middle Drive
Knoxville, TN 37996-2250

My current research at UTK aims to make authentication more secure by offering concrete solutions to problems with password manager design and implementation. I also explored the use of nation scale mobile ad hoc networks to enable communication over large areas when it would otherwise be impossible, such as after natural disasters or in heavily censored regions. My work at Oak Ridge National Laboratory spans everything from the use of images of vehicles at stoplights to enhance fuel efficiency in cities to the usability and efficacy of Intrusion Detection Systems. My research interests are chiefly within the realm of security and privacy, though I’m willing travel beyond those borders to explore interesting and challenging problems.

Honors

  • Science Alliance Student Mentoring and Research Training (SMaRT) fellowship (2020)

Publications

Understanding User Perceptions of Security and Privacy for Group Chat: A Survey of Users in The US and UK. Sean Oesch, Ruba Abu-Salma, Oumar Diallo, Juliane Krämer, James Simmons, Justin Wu, and Scott Ruoti. In Proceedings of the 36th Annual Computer Security Applications Conference. ACM, 2020. (ACSAC)
Abstract: Secure messaging tools are an integral part of modern society. While there is a significant body of secure messaging research generally, there is a lack of information regarding users' security and privacy perceptions and requirements for secure group chat. To address this gap, we conducted a survey of 996 participants in the US and UK. The results of our study show that group chat presents important security and privacy challenges, some of which are not present in one-to-one chat. For example, users need to be able to manage and monitor group membership, establish trust for new group members, and filter content that they share in different chat contexts. Similarly, we find that the sheer volume of notifications that occur in group chat makes it extremely likely that users ignore important security- or privacy- notifications. We also find that participants lack mechanisms for determining which tools are secure and instead rely on non-technical strategies for protecting their privacy—for example, self-filtering what they post and carefully tracking group membership. Based on these findings we provide recommendations on how to improve the security and usability of secure group chat.
That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers. Sean Oesch and Scott Ruoti. In Proceedings of the 30th USENIX Security Symposium. USENIX, 2020. (USENIX Security, 16% acceptance rate)
Abstract: Password managers have the potential to help users more effectively manage their passwords and address many of the concerns surrounding password-based authentication, however prior research has identified significant vulnerabilities in existing password managers. Since that time, five years has passed, leaving it unclear whether password managers remain vulnerable or whether they are now ready for broad adoption. To answer this question, we evaluate thirteen popular password managers and consider all three stages of the password manager lifecycle—password generation, storage, and autofill. Our evaluation is the first analysis of password generation in password managers, finding several non-random character distributions and identifying instances where generated passwords were vulnerable to online and offline guessing attacks. For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues, particularly with browser-based password managers; these problems include unencrypted metadata, unsafe defaults, and vulnerabilities to clickjacking attacks. Based on our results, we identify password managers to avoid, provide recommendations on how to improve existing password managers, and identify areas of future research.
Estimating Vehicle Fuel Economy from Overhead Camera Imagery and Application for Traffic Control. Tom Karnowski, Ryan Tokola, and Sean Oesch. In Proceedings of the 2020 IS&T International Symposium on Electronic Imaging. 2020. (IS&T)
Abstract: In this work, we explore the ability to estimate vehicle fuel consumption using imagery from overhead fisheye lens cameras deployed as traffic sensors. We utilize this information to simulate vision-based control of a traffic intersection, with a goal of improving fuel economy with minimal impact to mobility. We introduce the ORNL Overhead Vehicle Data set (OOVD), consisting of a data set of paired, labeled vehicle images from a ground-based camera and an overhead fisheye lens traffic camera. The data set includes segmentation masks based on Gaussian mixture models for vehicle detection. We show the data set utility through three applications—estimation of fuel consumption based on segmentation bounding boxes, vehicle discrimination for vehicles with large bounding boxes, and fine-grained classification on a limited number of vehicle makes and models using a pre-trained set of convolutional neural network models. We compare these results with estimates based on a large open-source data set of web-scraped imagery. Finally, we show the utility of the approach using reinforcement learning in a traffic simulator using the open source Simulation of Urban Mobility (SUMO) package. Our results demonstrate the feasibility of the approach for controlling traffic lights for better fuel efficiency based solely on visual vehicle estimates from commercial, fisheye lens cameras.
Nation Scale Mobile Ad Hoc Network for Normally Isolated Topologies. Sean Oesch and Max Schuchard. In Proceedings of the 12th IEEE International Conference on Cyber, Physical and Social Computing. IEEE, 2019. IEEE Outstanding Paper Award. (CPSCom, 17% acceptance rate)
Abstract: When network infrastructure is down after disasters such as hurricane Maria, in the face of extreme censorship and in remote areas without infrastructure novel solutions for large scale delay tolerant communications are needed. Nation Scale Mobile Ad Hoc Network, or NSHoc, enables smartphone users to request and receive content via opportunistic encounters at nation scale with no prior knowledge of network members and in sparse topologies where individual nodes may remain isolated for minutes or even hours at a time. We call such sparse topologies normally isolated. It does so by leveraging mobile ad hoc networks that rely on opportunistic encounters between users to distribute content. We use a custom simulator to test the system over two nation scale topologies, Puerto Rico and Syria. With 10K users, NSHoc can deliver over 95% of requested content to over 97% of users in 143 locations spread throughout Puerto Rico in less than 5 hours on average with a total throughput of .42 pieces of content per second. Significantly, these results are not simply the consequence of popular content being cached. We demonstrate that requests for unpopular content are also satisfied due to the benefits of ubiquitous caching. In addition, we show that NSHoc remains performant across a variety of topologies, mobility models and content distributions. No known prior work considers such large scale, sparse topologies. This work shows that MANETs are an attractive alternative for distributing content at nation scale in the face of infrastructure loss even when users are normally isolated.