Publications

This page lists selected publications that present the foundation, application, and extension of the xDECAF framework. The extensible analysis framework has been presented in this premiere publication:

N. Boltz and S. Hahner, et al., "An Extensible Framework for Architecture-Based Data Flow Analysis for Information Security", European Conference on Software Architecture (ECSA), Springer, 2024, doi: 10.1007/978-3-031-66326-0_21.

Analysis Framework

Further publications present various aspects of the analysis framework, e.g., the analysis algorithm, or the constraint formulation:

• F. Reiche, R. Reussner, R. Heinrich, "Detecting Information Flow Security Vulnerabilities by Analysis Coupling", Transactions on Software Engineering, IEEE, 2025, doi: 10.1109/TSE.2025.3589647
• N. Boltz, L. Schmid, B. Taghavi, et al., "Modeling and Analyzing Zero Trust Architectures Regarding Performance and Security", European Conference on Software Architecture (ECSA), Springer, 2024, doi: 10.1007/978-3-031-70797-1_17
• N. Boltz, S. Hahner, C. Gerking, et al., "An Extensible Framework for Architecture-Based Data Flow Analysis for Information Security", European Conference on Software Architecture (ECSA), Springer, 2024, doi: 10.1007/978-3-031-66326-0_21
• N. Niehues, B. Arp, T. Hüller, et al., "Integrating Security-Enriched Data Flow Diagrams Into Architecture-Based Confidentiality Analysis", Softwaretechnik‑Trends, Gesellschaft für Informatik, 2024
• T. Hüller, F. Schwickerath, B. Arp, et al., "Towards a Data Flow Diagram‑Centric Confidentiality Analysis in Palladio", Softwaretechnik‑Trends, Gesellschaft für Informatik, 2024
• B. Arp, N. Niehues, T. Hüller, et al., "Analyzing Cyclic Data Flow Diagrams Regarding Information Security", Softwaretechnik‑Trends, Gesellschaft für Informatik, 2024
• F. Schwickerath, N. Boltz, S. Hahner, et al., "Tool-Supported Architecture-Based Data Flow Analysis for Confidentiality", arXiv, arXiv, 2023, doi: 10.48550/arXiv.2308.01645
• S. Seifermann, R. Heinrich, D. Werle, et al., "Detecting violations of access control and information flow policies in data flow diagrams", Journal of Systems and Software, Elsevier, 2022, doi: 10.1016/j.jss.2021.111138
• S. Seifermann, "Architectural Data Flow Analysis for Detecting Violations of Confidentiality Requirements", Karlsruhe Institute of Technology (KIT), Karlsruhe Institute of Technology (KIT), 2022, doi: 10.5445/IR/1000148748
• S. Hahner, S. Seifermann, R. Heinrich, et al., "Modeling Data Flow Constraints for Design‑Time Confidentiality Analyses", International Conference on Software Architecture Companion (ICSA‑C), IEEE, 2021, doi: 10.1109/ICSA‑C52384.2021.00009
• S. Seifermann, R. Heinrich, D. Werle, et al., "A Unified Model to Detect Information Flow and Access Control Violations in Software Architectures", International Conference on Security and Cryptography, SCITEPRESS, 2021, doi: 10.5220/0010515300260037
• S. Seifermann, R. Heinrich, R. Reussner, "Data-Driven Software Architecture for Analyzing Confidentiality", International Conference on Software Architecture (ICSA), IEEE, 2019, doi: 10.1109/ICSA.2019.00009
• S. Seifermann, "Architectural Data Flow Analysis", Working IEEE/IFIP Conference on Software Architecture (WICSA), IEEE, 2016, doi: 10.1109/WICSA.2016.49

Analysis Extensions

The data flow analysis framework has already been successfully extended to define additional analysis capabilities, e.g., to consider uncertainty or legal aspects. The following list shows a selection of projects and associated publications.

ABUNAI – Architecture-Based and Uncertainty-Aware Confidentiality Analysis

ABUNAI supports the modeling and analysis of uncertainty and its impact on confidentiality. By combining data flow analysis with architecture-based uncertainty propagation, predictions can be made on the interaction of uncertainty and confidentiality. For further information, please visits abunai.dev.

• S. Hahner, "Architecture-Based and Uncertainty-Aware Confidentiality Analysis", Karlsruhe Institute of Technology (KIT), Karlsruhe Institute of Technology (KIT), 2024, doi: 10.5445/IR/1000178700
• S. Hahner, N. Niehues, N. Boltz, et al., "ARC³N: A Collaborative Uncertainty Catalog to Address the Awareness Problem of Model-Based Confidentiality Analysis", International Conference on Model Driven Engineering Languages and Systems (MODELS Companion), ACM/IEEE, 2024, doi: 10.1145/3652620.3688556
• S. Hahner, R. Heinrich, R. Reussner, "Architecture-Based Uncertainty Impact Analysis to Ensure Confidentiality", Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), IEEE/ACM, 2023, doi: 10.1109/SEAMS59076.2023.00026
• S. Hahner, T. Bitschi, M. Walter, et al., "Model-based Confidentiality Analysis under Uncertainty", International Conference on Software Architecture Companion (ICSA-C), IEEE, 2023, doi: 10.1109/ICSA-C57050.2023.00062
• N. Boltz, S. Hahner, M. Walter, et al., "Handling Environmental Uncertainty in Design Time Access Control Analysis", Conference on Software Engineering and Advanced Applications (SEAA), IEEE, 2022, doi: 10.1109/SEAA56994.2022.00067
• M. Walter, S. Hahner, S. Seifermann, et al., "Architectural Optimization for Confidentiality Under Structural Uncertainty", European Conference on Software Architecture (ECSA), Springer, 2022, doi: 10.1007/978-3-031-15116-3_14

MDPA – Model-Based Data Protection Assessments

MDPA enables the model-based assessment of data protection. By incorporating legal information from the GDPR, experts can make statements about data privacy from a software architectural viewpoint. For further information, please visits github.com/Model-Based-Data-Protection-Assessments.

• N. Boltz, L. Sterz, C. Gerking, et al., "A Model-Based Framework for Simplified Collaboration of Legal and Software Experts in Data Protection Assessments", INFORMATIK 2022, Gesellschaft für Informatik, 2022, doi: 10.18420/inf2022_44

ARCoViA – Automated Repair of Confidentiality Violations in Software Architectures

ARCoVIA assists software architects in automatically repearing confidentiality violations in software architectures. For further information, please visits github.com/arcovia-dev.

• N. Niehues, S. Hahner, R. Heinrich, "An Architecture-Based Approach to Mitigate Confidentiality Violations Using Machine Learning", International Conference on Software Architecture (ICSA), IEEE, 2025, doi: 10.1109/ICSA65012.2025.00020