Skip to content

Latest commit

 

History

History
97 lines (81 loc) · 4.75 KB

Micro-Id-Gym.md

File metadata and controls

97 lines (81 loc) · 4.75 KB
title subtitle people publications theses
Micro-Id-Gym
Identity Management Workouts with Container-Based Microservices
AndreaBisegna
RobertoCarbone
SilvioRanise
MicroIDGym_2019
ETAA2020_MIG
SecAssAPIFinancial_book_2020
DETIPS2020
ETAA2021_MIG
GiulioPellizzari_B
ValentinaOdorizzi_B
IvanMartini_B
LorenzoTait_B
ClaudioGrisenti_B
StefanoFacchini_B
GiulioPellizzari_M
FrancescoDefilippo_B
LucaBazzanella_B
WendyBarreto_B
MatteoBitussi_B
SofiaZanrosso_B
MicheleZucchelli_B
AlessandroBiasi_B
LuigiDellEva_B

Micro-Id-Gym is a framework where users can develop hands-on experiences on how IdM solutions work and increase their awareness related to the underlying security issues. It is open-source, released under Apache-2.0 license and and you can contribute by visiting the project’s repository.

{% include toc.md %}

Architecture

The Micro-Id-Gym Backend is used to recreate locally a sandbox as an instance of an IdP and a C and it can be done by uploading the own proprietary sandbox or by composing a new sandbox choosing the instances of IdPs and Cs provided by the IdP and C repositories.

The Micro-Id-Gym Frontend consists of tools to support user pentesting activities on the System Under Test (SUT), namely a Proxy, a MIG Tool (MIG-T), and two tools called MSC Drawer and MSC STIX Visualizer. The SUT can be a sandbox or any IdM protocol available on Internet.

current_architecture

Dashboard

It is used to choose the IdM protocols as an IdP instance and one or more C instance(s) to deploy in the SUT, among the ones available. It is also used to configure some components of the Micro-Id-Gym Frontend.

Micro-Id-Gym Backend

The goal of the Micro-Id-Gym Backend is by construction to provide a test environment generator tailored to IdM protocols and deploy the environment in the SUT. Given a set of available IdM protocol implementations collected while using the tool for third parties, the SUT automatically sets-up a working environment in a local network. It contains:

  • Client Repository It contains the instances of Client.
  • Identity Provider Repository It contains the instances of Identity Provider.
  • STIX vulnerability repository It contains Cyber Threat Intelligence information useful for assessing vulnerabilities following the Structured Threat Information Expression STIX format proposed by OASIS CTI TC.

Micro-Id-Gym Frontend

The Micro-Id-Gym Frontend contains tools used to support user pentesting activities in a sandbox (generated by the Micro-Id-Gym Backend) or any IdM protocol available on Internet. It is composed by:

  • Proxy It is a web proxy tool that intercepts the HTTP traffic between a browser and the servers of the SUT.
  • MSC Drawer It provides a message sequence chart of the authentication flow and it allows easier inspection of the exchanged messages.
  • MIG-T It supports a user to perform pentesting of an IdM protocol deployment, by providing instruments to automatically detect security issues. The tools perform both passive and active tests.
  • STIX Visualizer It provides a graph of CTI information taken from the STIX vulnerability repository related to the intercepted authentication flow, currently only for SAML.

Additional Contributors

Bachelor's and master's students from the University of Trento, involved in internships and theses in FBK:

  • Wendy Barreto
  • Luca Bazzanella
  • Alessandro Biasi
  • Matteo Bitussi
  • Francesco Defilippo
  • Luigi Dell'Eva
  • Stefano Facchini
  • Claudio Grisenti
  • Ivan Martini
  • Valentina Odorizzi
  • Giulio Pellizzari
  • Lorenzo Tait
  • Leonidas Vasileiadis
  • Sofia Zanrosso
  • Michele Zucchelli

Related Talks

  • Andrea Bisegna, Roberto Carbone, and Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    At: Italian Conference on Cybersecurity (ITASEC 2021) (news)
  • Andrea Bisegna, Roberto Carbone, and Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    At: OWASP Italy Day 2021 (news)