ArchFlow is a tool which supports designing component-based systems with strong confidentiality guarantees. In the tool, a user can define hierarchical component-based models. The individual components in the model are then equipped with an information flow specification, and when components are composed either by delegation or assembly the compatibility of the specifications are checked in the tool. If there are no errors raised by the tool, then the composition will not lead to an information leak. The tool also supports generating Java code, and will, based on the component model, generate corresponding interfaces, classes and method stubs. The functionality of the methods can then be implemented using tool support for information flow control by-constructions (IFbC).

Modern mobility systems are highly interconnected and rely heavily on the exchange of potentially sensitive data. Assessing legal compliance, particularly in terms of data protection, and ensuring data confidentiality in such cyber-physical systems is challenging due to the inherent openness and uncertainty of both the system and its environment. The demonstrator illustrates that even a significantly reduced context, reflected by changes in vehicle types, infrastructure, server locations, or weather conditions, can create scenarios in which legal compliance or data confidentiality is violated. Because of uncertainties in the legal framework, system structure, and environmental conditions, the shown scenario comprises over 200 distinct states, each involving different data processing and flows.
To consider the impact of uncertainty and allow for continuous collaborative assessment of legal compliance already during the system design, the shown approaches use a scalable uncertainty-aware data flow analysis that utilizes the software architecture models to analyze the system’s legal compliance and confidentiality.

Vari-Joern is an analysis platform aimed at vulnerability discovery in high-configurable software systems. It is built around the off-the-shelf static code analysis tool Joern and offers two analysis strategies. The product-based strategy reads the system's feature model, samples configurations (i.e., specifications of software variants) using either t-wise interaction or uniform random sampling, composes the sampled configurations into actual variants, and analyzes the individual variants using Joern. The family-based strategy, on the other hand, transforms variable C code (i.e., C containing preprocessor conditionals) into plain C using so-called variability encoding and analyzes the transformed code (typically referred to as the product simulator) using Joern.
The screencast shows an analysis run of axTLS (a medium-sized variable C system realizing an SSL library) using the family-based analysis strategy. The resulting JSON report file lists a total of 119 warnings raised during the analysis of axTLS code, along with useful information such as presence conditions (i.e., features of the configurable system that need to be selected for a particular issue to arise).