Security & Trust

Micro-Id-Gym

Identity Management Workouts with Container-Based Microservices

Micro-Id-Gym is a framework where users can develop hands-on experiences on how IdM solutions work and increase their awareness related to the underlying security issues. It is open-source, released under Apache-2.0 license and and you can contribute by visiting the project’s repository.

Architecture

The Micro-Id-Gym Backend is used to recreate locally a sandbox as an instance of an IdP and a C and it can be done by uploading the own proprietary sandbox or by composing a new sandbox choosing the instances of IdPs and Cs provided by the IdP and C repositories.

The Micro-Id-Gym Frontend consists of tools to support user pentesting activities on the System Under Test (SUT), namely a Proxy, a MIG Tool (MIG-T), and two tools called MSC Drawer and MSC STIX Visualizer. The SUT can be a sandbox or any IdM protocol available on Internet.

current_architecture

Dashboard

It is used to choose the IdM protocols as an IdP instance and one or more C instance(s) to deploy in the SUT, among the ones available. It is also used to configure some components of the Micro-Id-Gym Frontend.

Micro-Id-Gym Backend

The goal of the Micro-Id-Gym Backend is by construction to provide a test environment generator tailored to IdM protocols and deploy the environment in the SUT. Given a set of available IdM protocol implementations collected while using the tool for third parties, the SUT automatically sets-up a working environment in a local network. It contains:

  • Client Repository It contains the instances of Client.
  • Identity Provider Repository It contains the instances of Identity Provider.
  • STIX vulnerability repository It contains Cyber Threat Intelligence information useful for assessing vulnerabilities following the Structured Threat Information Expression STIX format proposed by OASIS CTI TC.

Micro-Id-Gym Frontend

The Micro-Id-Gym Frontend contains tools used to support user pentesting activities in a sandbox (generated by the Micro-Id-Gym Backend) or any IdM protocol available on Internet. It is composed by:

  • Proxy It is a web proxy tool that intercepts the HTTP traffic between a browser and the servers of the SUT.
  • MSC Drawer It provides a message sequence chart of the authentication flow and it allows easier inspection of the exchanged messages.
  • MIG-T It supports a user to perform pentesting of an IdM protocol deployment, by providing instruments to automatically detect security issues. The tools perform both passive and active tests.
  • STIX Visualizer It provides a graph of CTI information taken from the STIX vulnerability repository related to the intercepted authentication flow, currently only for SAML.

Additional Contributors

Bachelor’s and master’s students from the University of Trento, involved in internships and theses in FBK:

  • Wendy Barreto
  • Luca Bazzanella
  • Alessandro Biasi
  • Matteo Bitussi
  • Francesco Defilippo
  • Luigi Dell’Eva
  • Stefano Facchini
  • Claudio Grisenti
  • Ivan Martini
  • Valentina Odorizzi
  • Giulio Pellizzari
  • Lorenzo Tait
  • Leonidas Vasileiadis
  • Sofia Zanrosso
  • Michele Zucchelli

Related Talks

  • Andrea Bisegna, Roberto Carbone, and Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    At: Italian Conference on Cybersecurity (ITASEC 2021) (news)
  • Andrea Bisegna, Roberto Carbone, and Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    At: OWASP Italy Day 2021 (news)

Related Publications

  • Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Silvio Ranise
    Enhancing Security Testing for Identity Management Implementations: Introducing Micro-Id-Gym Language and Micro-Id-Gym Testing Tool
    In: IEEE Security & Privacy (DOI, news)
  • Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Luca Compagna, Silvio Ranise, Avinash Sudhodanan
    CSRFing the SSO Waves: Security Testing of SSO-Based Account Linking Process
    In: 9th IEEE European Symposium on Security and Privacy (EUROS&P 2024) (DOI, complementary material)
  • Andrea Bisegna, Roberto Carbone, Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    In: 4th International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2021) (DOI)
  • Sergio Manuel Nóbrega Gonçalves, Alessandro Tomasi, Andrea Bisegna, Giulio Pellizzari, Silvio Ranise
    Verifiable Contracting: A Use Case for Onboarding and Contract Offering in Financial Services with eIDAS and Verifiable Credentials
    In: 25th European Symposium on Research in Computer Security (DETIPS2020) (DOI)
  • Andrea Bisegna, Roberto Carbone, Mariano Ceccato, Salvatore Manfredi, Silvio Ranise, Giada Sciarretta, Alessandro Tomasi, Emanuele Viglianisi
    Automated Assistance to the Security Assessment of API for Financial Services in book Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures
    In: Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures (DOI)
  • Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI)
  • Andrea Bisegna, Roberto Carbone, Ivan Martini, Valentina Odorizzi, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: Identity Management Workouts with Container-Based Microservices
    In: International Journal of Information Security and Cybercrime (IJISP), Volume 8, Issue 1 (DOI)

Related Theses

  • Roberto Savi (Bachelor's Thesis, University of Trento, 2024)
    Integrating Pentesting Tools for Identity Management Protocols into DevSecOps: The MIG-T Use Case
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone, Laura Cristiano, Pietro De Matteis
  • Pier Guido Seno (Bachelor's Thesis, University of Trento, 2024)
    From Local to Remote: Enhancing MIG-T Pentesting Tool with SaaS for Securing Digital Identity
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone, Laura Cristiano
  • Luigi Dell'Eva (Bachelor's Thesis, University of Trento, 2023)
    Chatting is Healthy: How Better Cybersecurity Hygiene can be Obtained by Integrating Chatbots with Pentesting Tools
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone, Eleonora Marchesini
  • Alessandro Biasi (Bachelor's Thesis, University of Trento, 2023)
    Syntax and Semantics of a Declarative Language for Security Testing of Browser-based Security Protocols
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giuseppe Alessio Sciumè (Bachelor's Thesis, University of Trento, 2022)
    A Comprehensive Analysis of the OAuth 2.0 Threat Model to Develop a Chatbot Providing Actionable Security Suggestions
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Andrea Bisegna
  • Michele Zucchelli (Bachelor's Thesis, University of Trento, 2022)
    Pimp My Micro-Id-Gym: Enhancing the Automation and Usability of a Security Testing Tool for Digital Identity Protocol
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Sofia Zanrosso (Bachelor's Thesis, University of Trento, 2022)
    Enlarging the Pen-Test Coverage of SAML Single Sign-On Solutions with Cyber Threat Intelligence
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Matteo Bitussi (Bachelor's Thesis, University of Trento, 2022)
    Declarative Specification of Pentesting Strategies for Browser-based Security Protocols: the Case Studies of SAML and OAuth/OIDC
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Wendy Barreto (Bachelor's Thesis, University of Trento, 2021)
    Design and implementation of an attack pattern language for the automated pentesting of OAuth/OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Luca Bazzanella (Bachelor's Thesis, University of Trento, 2021)
    Analysis of the State of the Art of DevSecOps: The Gitlab case study
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Francesco Defilippo (Bachelor's Thesis, University of Trento, 2021)
    Attack Patterns for Pentesting SAML 2.0 Web Browser Single Sign-On deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Master's Thesis, University of Trento, 2020)
    Micro-Id-Gym: A Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Stefano Facchini (Bachelor's Thesis, University of Trento, 2020)
    Design and implementation of an automated tool for checking SAML SSO vulnerabilities and SPID compliance
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Claudio Grisenti (Bachelor's Thesis, University of Trento, 2020)
    A pentesting tool for OAuth and OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Lorenzo Tait (Bachelor's Thesis, University of Trento, 2019)
    A Customized Threat Modeling for Secure Deployment And Pentesting of SAML SSO Solutions
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Ivan Martini (Bachelor's Thesis, University of Trento, 2018)
    An automated security testing framework for SAML SSO deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Valentina Odorizzi (Bachelor's Thesis, University of Trento, 2018)
    Progettazione e sviluppo di uno strumento per l'analisi automatica di vulnerabilità "Missing XML Validation" in SAML SSO
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Bachelor's Thesis, University of Trento, 2018)
    Design and implementation of a tool to detect Login Cross-Site Request Forgery in SAML SSO: G Suite case study
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone

Involved People

Andrea Bisegna

Andrea Bisegna

Roberto Carbone

Roberto Carbone

Silvio Ranise

Silvio Ranise