ArchFlow is a tool which supports designing component-based systems with strong confidentiality guarantees. In the tool, a user can define hierarchical component-based models. The individual components in the model are then equipped with an information flow specification, and when components are composed either by delegation or assembly the compatibility of the specifications are checked in the tool. If there are no errors raised by the tool, then the composition will not lead to an information leak. The tool also supports generating Java code, and will, based on the component model, generate corresponding interfaces, classes and method stubs. The functionality of the methods can then be implemented using tool support for information flow control by-constructions (IFbC).

Modern mobility systems are interconnected and share a lot of sensitive data. Analyzing and ensuring the data’s confidentiality in such cyber-physical systems is especially challenging due to the open context and uncertainty within the system and its environment. This demonstrator showcases the challenge of detecting confidentiality violations under high variability due to uncertainty, e.g., due to changing vehicle types and infrastructure or varying server locations and weather conditions. It uses a scalable uncertainty-aware data flow analysis that utilizes the software architecture to analyze the system’s confidentiality while considering the impact of uncertainty.

Vari-Joern is an analysis platform aimed at vulnerability discovery in high-configurable software systems. It is built around the off-the-shelf static code analysis tool Joern and offers two analysis strategies. The product-based strategy reads the system's feature model, samples configurations (i.e., specifications of software variants) using either t-wise interaction or uniform random sampling, composes the sampled configurations into actual variants, and analyzes the individual variants using Joern. The family-based strategy, on the other hand, transforms variable C code (i.e., C containing preprocessor conditionals) into plain C using so-called variability encoding and analyzes the transformed code (typically referred to as the product simulator) using Joern.
The screencast shows an analysis run of axTLS (a medium-sized variable C system realizing an SSL library) using the family-based analysis strategy. The resulting JSON report file lists a total of 119 warnings raised during the analysis of axTLS code, along with useful information such as presence conditions (i.e., features of the configurable system that need to be selected for a particular issue to arise).