Abstract
Identity Management (IdM) solutions are increasingly important for digital infrastructures of both enterprises and public administrations. Their security is a mandatory pre-requisite for building trust in current and future digital ecosystems. Unfortunately, not only their secure deployment but even their usage are non-trivial activities that require a good level of security awareness. In order to test whether known exploits can be reproduced in different environments, better understand their effects and facilitate the discovery of new vulnerabilities, we need to have a reliable testbed. For this, we present Micro-Id-Gym which abstractly supports two main activities: the creation of sandboxes with an IdM protocol deployment and the pentesting of IdM protocol deployments in the wild or in the laboratory (on the created sandboxes).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
PSD2. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366 Accessed 23 Jun 2020
Security Considerations OAuth. https://tools.ietf.org/id/draft-bradley-oauth-jwt-encoded-state-08.html#rfc.section.6 Accessed 23 Jun 2020
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1–10 (2008)
Bisegna, A., Carbone, R., Martini, I., Odorizzi, V., Pellizzari, G., Ranise, S.: Micro-Id-Gym: identity management workouts with container-based microservices. Int. J. Inf. Secur. Cybercrime 8(1), 45–50 (2019)
C. Wohlin, P. Runeson, M.H.M.O.B.R.A.W.: Experimentation in software engineering. Softw. Test., Verif. Reliab. (2001). https://doi.org/10.1002/stvr.230
Hardt, D.: The OAuth 2.0 Authorization Framework (RFC6749). Internet Engineering Task Force (IETF) (2012)
Höst, M., Regnell, B., Wohlin, C.: Using students as subjects—a comparative study of students and professionals in lead-time impact assessment. Empirical Softw. Eng. 5(3), 201–214 (2000)
Hughes, J., Maler, E.: Security assertion markup language (saml) v2.0 technical overview. OASIS SSTC Working Draft sstc-saml-tech-overview-2.0-draft-08 pp. 29–38 (2005)
Li, Wanpeng, Mitchell, Chris J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, Sherman S.M., Camenisch, Jan, Hui, Lucas C.K., Yiu, Siu Ming (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_34
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0 incorporating errata set 1. The OpenID Foundation, specification 335 (2014), https://openid.net/specs/openid-connect-core-1_0.html
Salman, I., Misirli, A.T., Juristo, N.: Are students representatives of professionals in software engineering experiments? In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. vol. 1, pp. 666–676. IEEE (2015)
Svahnberg, M., Aurum, A., Wohlin, C.: Redirect uri attack. In: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 288–290 (2008)
Svahnberg, M., Aurum, A., Wohlin, C.: Using students as subjects-an empirical evaluation. In: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 288–290 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Post-questionnaire
A Post-questionnaire
The following table shows the content of the post-experiment survey questionnaire mentioned in Sect. 5. It deals with object clarity of the tasks, cognitive effects of the treatments on the behavior of the subjects and perceived usefulness of MSC Drawer. The first set of questions (Q1–Q6) needs to be answered twice (one answer for each performed lab) while the remaining set only needs to be answered once as it refers to the overall session (Table 5).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Bisegna, A., Carbone, R., Pellizzari, G., Ranise, S. (2020). Micro-Id-Gym: A Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2020. Lecture Notes in Computer Science(), vol 12515. Springer, Cham. https://doi.org/10.1007/978-3-030-64455-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-64455-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64454-3
Online ISBN: 978-3-030-64455-0
eBook Packages: Computer ScienceComputer Science (R0)