Serval Research Group

Serval is a research group from the Interdisciplinary Centre for Security Reliability and Trust (SnT) of the University of Luxembourg.

The overall objective of Serval is to propose efficient tools and methods to both 1) build secure and reliable software systems, and 2) easily test these systems. To achieve this objective, the Serval Research Group investigates three main technologies: Model-Driven approaches, Service-Oriented requirements and architectures, and communication and network technologies.


In the field of modelling, model-driven engineering appears as a very promising approach both to rationalize a development process (model transformations, metamodelling) and to provide bridges to build interoperability between several concerns (functional, performances, security, dependability), which are often called aspects. The issue of merging aspects and models is a crucial dimension of this new technology and a real scientific challenge. However, the interoperability between the models and their associated semantics opens the possibility to express both the service-oriented architectures and the underlying communication models in the same manipulable environment. The metamodels and treatments proposed in [MFBT08a, MFBT08a, BTM08] for security policies and security fault models allowed to produce the testing artefacts automatically. Such an approach could be generalized to usage control and dependability. MDE technology appears as a good candidate to model the expected features of a secure system, and automatically derive the testing and vigilance artefacts.

In the communications and network technologies, the recent trends consist of allowing many nodes to participate or leave a given network (social networks, P2P systems, ad-hoc networks, delay tolerant networks), potentially at a very large scale. The issue is to guarantee the dependability of such networks and their ability to deliver their services. The problem is that they are highly adaptive so that their robustness (dependability and security) is questionable. The first results on the validation of P2P systems on a Grid ([ASVT08, ASTV08]) reveal that the volatility of nodes is a threat to the performances and dependability of such systems. Currently P2P protocols do not embed the capacity of reorganizing themselves under high volatility. Thus, the link between nodes volatility and the capacity to evolve in a resilient way is not yet demonstrated and testing appears as a good technique to check the resilience of communication platforms and protocols.

In the field of service-oriented requirements, the new systems are built based on the services they are required to provide to the final user. This user-centric (or marketing-centric) vision of systems tackles the difficult question of how to compose services in a trustable manner (security and dependability). The collaboration/communication between services is crucial due to the need for coupling the client definition of a service to its provider. Such coupling is done based on the most recent communication and network technologies. One can wonder whether the resulting services can be trusted. The solution we explore is the use of contracts attached to the services, and dedicated to security and dependability properties. Service-oriented architectures thus become vigilant. Indeed, vigilance can be defined as the quality or state of being wakeful and alert. This notion can be extended to the software and network domains as the ability of a system to dynamically detect an unexpected internal state (error or intrusion). The idea of using contracts for improving the vigilance of the final system has been already explored both from theoretical and empirical points of views [LBJ06]. Indeed, Design by Contract is a lightweight technique for embedding elements of formal specification (such as invariants, pre- and post-conditions) into a design, in general for object-oriented programs. Executable contracts allow components to be responsive to erroneous states, and thus may help in detecting and locating faults. The objective is to adapt contracts for security and dependability as a possible technique for detecting intrusions, security violations and erroneous states. We expect to enhance the detection capability by inserting the detection mechanisms directly inside the software.  Vigilance is thus a basic mechanism to embed in services (and even communication nodes) a “consciousness” that something is going wrong. Vigilance thus allows detection and detection leads to a reaction (fault recovery, reconfiguration, self-adaptation). This mechanism is needed to allow reconfiguration mechanisms of resilient systems to be applied dynamically.