Micro-Id-Gym

Identity Management Workouts with Container-Based Microservices

Micro-Id-Gym is a framework where users can develop hands-on experiences on how IdM solutions work and increase their awareness related to the underlying security issues. It is open-source, released under Apache-2.0 license and and you can contribute by visiting the project’s repository.

Architecture

The Micro-Id-Gym Backend is used to recreate locally a sandbox as an instance of an IdP and a C and it can be done by uploading the own proprietary sandbox or by composing a new sandbox choosing the instances of IdPs and Cs provided by the IdP and C repositories.

The Micro-Id-Gym Frontend consists of tools to support user pentesting activities on the System Under Test (SUT), namely a Proxy, a set of Pentesting Tools, and two tools called MSC Drawer and MSC STIX Visualizer. The SUT can be a sandbox or any IdM protocol available on Internet.

current_architecture

Micro-Id-Gym Backend

The goal of the Micro-Id-Gym Backend is by construction to provide a test environment generator tailored to IdM protocols and deploy the environment in the SUT. Given a set of available IdM protocol implementations collected while using the tool for third parties, the SUT automatically sets-up a working environment in a local network. It contains:

  • Config Dashboard It is used to choose the IdM protocols as an IdP instance and one or more C instance(s) to deploy in the SUT, among the ones available. It is also used to configure some components of the Micro-Id-Gym Frontend.
  • Client Repository It contains the instances of Client.
  • Identity Provider Repository It contains the instances of Identity Provider.
  • STIX vulnerability repository It contains Cyber Threat Intelligence information useful for assessing vulnerabilities following the Structured Threat Information Expression STIX format proposed by OASIS CTI TC.

Micro-Id-Gym Frontend

The Micro-Id-Gym Frontend contains tools used to support user pentesting activities in a sandbox (generated by the Micro-Id-Gym Backend) or any IdM protocol available on Internet. It is composed by:

  • Proxy It is a web proxy tool that intercepts the HTTP traffic between a browser and the servers of the SUT.
  • MSC Drawer It provides a message sequence chart of the authentication flow and it allows easier inspection of the exchanged messages.
  • Pentesting Tool It supports a user to perform pentesting of an IdM protocol deployment, by providing instruments to automatically detect security issues. The tools perform both passive and active tests.
  • STIX Visualizer It provides a graph of CTI information taken from the STIX vulnerability repository related to the intercepted authentication flow, currently only for SAML.

Additional Contributors

Bachelor’s and master’s students from the University of Trento, involved in internships and theses in FBK:

  • Claudio Grisenti
  • Francesco Defilippo
  • Giulio Pellizzari
  • Ivan Martini
  • Leonidas Vasileiadis
  • Lorenzo Tait
  • Luca Bazzanella
  • Stefano Facchini
  • Valentina Odorizzi
  • Wendy Barreto

Related Talks

  • Andrea Bisegna, Roberto Carbone, and Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    At: Italian Conference on Cybersecurity (ITASEC 2021) (news)

Related Publications

  • Sergio Manuel Nóbrega Gonçalves, Alessandro Tomasi, Andrea Bisegna, Giulio Pellizzari and Silvio Ranise
    Verifiable contracting
    In: 25th European Symposium on Research in Computer Security (DETIPS2020)
  • Andrea Bisegna, Roberto Carbone, Mariano Ceccato, Salvatore Manfredi, Silvio Ranise, Giada Sciarretta, Alessandro Tomasi and Emanuele Viglianisi
    Automated Assistance to the Security Assessment of API for Financial Services in book Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures
    In: Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures (DOI)
  • Andrea Bisegna, Roberto Carbone, Giulio Pellizzari and Silvio Ranise
    Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI)
  • Andrea Bisegna, Roberto Carbone, Ivan Martini, Valentina Odorizzi, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: Identity Management Workouts with Container-Based Microservices
    In: International Journal of Information Security and Cybercrime (IJISP), Volume 8, Issue 1 (DOI)

Related Theses

  • Wendy Barreto (2021)
    Design and implementation of an attack pattern language for the automated pentesting of OAuth/OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Luca Bazzanella (2021)
    Analysis of the State of the Art of DevSecOps: The Gitlab case study
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Francesco Defilippo (2021)
    Attack Patterns for Pentesting SAML 2.0 Web Browser Single Sign-On deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Giulio Pellizzari (2020)
    Micro-Id-Gym: A Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Master's Thesis, University of Trento
  • Stefano Facchini (2020)
    Design and implementation of an automated tool for checking SAML SSO vulnerabilities and SPID compliance
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Claudio Grisenti (2020)
    A pentesting tool for OAuth and OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Lorenzo Tait (2019)
    A Customized Threat Modeling for Secure Deployment And Pentesting of SAML SSO Solutions
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Ivan Martini (2018)
    An automated security testing framework for SAML SSO deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Valentina Odorizzi (2018)
    Progettazione e sviluppo di uno strumento per l'analisi automatica di vulnerabilità "Missing XML Validation" in SAML SSO
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento
  • Giulio Pellizzari (2018)
    Design and implementation of a tool to detect Login Cross-Site Request Forgery in SAML SSO: G Suite case study
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
    Bachelor's Thesis, University of Trento

Involved People

Bisegna Andrea

Andrea Bisegna

Bachelor's Thesis

Website

Carbone Roberto

Roberto Carbone

Bachelor's Thesis

Website

Ranise Silvio

Silvio Ranise

Bachelor's Thesis

Website