Automated Mitigation of Confidentiality Violations in Software Architectures using Discrete Optimization

Fixing them automatically is not. Frameworks such as STRIDE and LINDDUN use Data Flow Diagrams (DFDs) to expose threats at an early stage in the development lifecycle. But once a violation is detected, software architects must still manually determine and apply the appropriate countermeasures, which is both a time-consuming and error-prone process. This thesis addresses the repair side of the problem. The central research question is which discrete optimisation method is best suited to automate this task. To answer it without presupposing an outcome, we design a comparative survey of three candidate methods: Branch and Bound, Integer Linear Programming (ILP), and Evolutionary Algorithms. These are evaluated against four criteria: optimality, runtime performance, extensibility, and reproducibility. The survey establishes ILP as the only method satisfying all four, primarily because its declarative problem formulation separates constraint specification from solving. This separation proves essential when mitigation strategies must be extended or customised. Building on this result, we implement an ILP-based automated mitigation approach integrated into the ARCoViA framework. The approach operates on DFDs that are annotated with label-based confidentiality constraints. It then enumerates candidate mitigation strategies across the full space of label additions and deletions, node insertions and removals, as well as flow deletions. These strategies, along with their mutual dependencies and contradictions, are encoded into a Boolean ILP problem. The solver yields a minimal-cost repair, which is then applied to produce a repaired DFD automatically. The main engineering challenge is generating a complete and correct set of candidate mitigations and encoding their dependencies and contradictions without omissions. The prior SAT-based approach, which this work extends, is limited to purely additive label changes and struggles to express richer constraint structures in CNF form. The present approach removes both restrictions. We evaluate it against four goals: effectiveness, extensibility, cost, and scalability, using DFD models from the MicroSecEnD benchmark. The approach eliminates all detected violations, produces repairs that are approximately 73\% less invasive than a human baseline, and scales acceptably across all studied dimensions of model complexity.