From: AAAI Technical Report FS-95-02. Compilation copyright © 1995, AAAI (www.aaai.org). All rights reserved.
TENSAR,
A Context-orientedSystemModelingLanguage
by
WilliamSandberg-Maitland
August,1995
Overthe past twoyears, a series of researchprojects
involving the formal use of contexts applied to
informationsystemmodelingin general and computer
security in particular has been supported by the
Communications
Security Establishment in Ottawa,
Canada.The notion of context we have evolved is
implemented in a language we call TENSAR
(Taxonomies,ENtities, Sets and Relations).
present, the context mechanismin TENSAR
allows
abstract models constructed from a general set
theoretic foundationto havedistinct context-dependent
specifications. TheTEWSAR
interpreter stores all
model information
in a semantic frame
knowledge-basethat is partitioned by context. We
haveconjecturedthat an algebraiclattice of contexts
wouldbe appropriatefor the applications envisaged,
and the current implementationof TENSAR
supports
this.
TENSAR
was developed as a meansof defining and
expressingfacts about general computingsystemsand
their models.In particular, modelsused in computer
security were considered as the main focus of
application. In [SANDBERG:93]
an initial version of
the language was developed and some candidate
systems defined in TENSAR.
Initially, TENSARwas
designed to form a link betweenInformation Flow
Algebras(IFAs)anda genericgraphicaluser interface
(GUI). The motivatingconcept behind this phase
the developmentwas to demonstrate that the IFA
constructions and models could be presented
graphically in a consistent way.
TENSAR
declarations were seen to hold the essential
information of a generic GUIoriented to generic
modelingconcerns.
The general purpose of TENSAR
has remained
relatively constant throughoutits brief history. The
syntactic definition and somedetails of scope have
been modifiedto meet an evolving role within the
Framework and Open Reference Model for
118
Information
Security (FORMIS).
[SANDBERG:95],TENSAR
is described as a general
ontological tool in documentingand referencing
Systems in general, with a special interest in
Information Security Models.In particular, TENSAR
is proposedas the primaryinterchangeformatwithin
FORMIS
for : (a) IFAs, (b) Information Integrity
Modeling,and (c) SystemComposabilityModeling.
Whilethe full achievement
of the aboveobjectives is
part of ongoing and future work, some proof of
concept involving IFA implementation within
TENSAR
is carried out in [SANDBERG:95].
ContextSemantics
EachTENSAR
metafile has a finite set of contexts,
eachof whichcontaina set of constructions,i.e.entity,
set, class, function,relation or axiomdefinitions.The
constructions of any given context generatea finite
set of first and/orsecond-orderlogical statementsin
Knowledge
Interchange Format(KIF), developed
Knowledge
SystemsLaboratory, Stanford University.
This set of formulasis called the context theory. In
order for a contextto be consistent, its theory must
havea model.Alternatively, it mustbe demonstrated
that there is someKIFstatementwhichis not logical
consequenceof the context theory. Both of these
tasks are beyondthe scope of TENSA1L
but could be
formally verified in EVES(by OdysseyResearch
Associates,Canada),a formalmethodstool for which
a TENSAR
interface has been planned.
Sincea consistent context theory has a model,it has
a meaning,or semanticalcontent. If a context theory
is inconsistent,no meaning
can be ascribedto it, even
though constructions within the context have
meanings.Beyondthese consistencyconditions, there
is no other consWaint
that a context mustsatisfy. It
is not necessarythat completedescriptionsof objects
be present in the context theory. It mayalso be
possible that two or more non-isomorphicmodels
satisfy a contexttheory. In suchcases the contextis
ambiguous, but not inconsistent. A context is
non-ambiguous
or finitely categorical if all finite
modelsare isomorphic.In the area of application of
TENSAR,
infinite modelsare not generally required,
thereforecategoricitypropertiesover infinite models
are not dealt with at present. Todefine contextsin a
moredirect syntactic way,wecan employthe notion
of a model set, devised in [HIN’HKKA:69].
[SANDBERG:95]
describes these semantics in more
detail.
References
Views
[SANDBERG:.94]
Sandberg-Maitland, W., "Towards
an OpenReferenceModelfor InformationSecurity",
Research Report for Communications Security
Establishment, March1994
[HINTIKKA:69]
I-fintikka, J., ModelsforModalilies,
Reidel, 1969
[SANDBERG:93] Sandberg-Maitland, W.,
’qnformationFlowsAlgebras", ResearchReport for
Communications
Security Establishment, December
1993
Viewsare describedas a general filter on attribute
domains,entities andother objects. Theglobal view
can restrict or expandthe user’s ability to detect the
specified viewelements.Viewsare not restricted to
a specific context. Thecurrent viewdoes not modify
any existing TENSAR
construction. Theviewcontrols
the degreeto whichinformationis hiddenor exposed
to the viewer. Theuser has the capability to define
a view and invoke any previously defined view.
There is a capability to expandan existing viewby
adding attributes domains, attributes, component
domains,components,relations, sets, entities and
other things. Similarly,all of the foregoingcategories
can be excludedthrougha restriction of the current
view.
[SANDBERG:95]
Sandberg-Maitland, W.,
"TENSAR:Semantics and Ontology", Research
Report for Communications
Security Establishment,
March1995
[YOSHITAKA:94] Yoshitaka,
A., et al,
"Knowledge-AssistedContent-BasedRetrieval for
MultimediaDatabases", 1EEEMultimedia, Winter,
1994,pp.12-21
In later versions of TENSAR,
moresophisticated view
mechanisms
are plannedinvolvingpseudo-attributes.
This would approach someof the capabilities of
multi-media knowledge base systems (as in
[YOSHITAKA:94]).Future versions of TENSAR
will addnotionsof ’focus’ and’perspective’,but the
semanticsof these are not resolvedat this point. At
present, the syntax of TENSAR
is strongly modeled
on that of OntolinguafromKSL,StanfordUniversity.
The work on TENSAR
and its use of contexts is
available from MilanS. Kuchta, INFOSEC
Scientific
Advisor, Communications
Security Establishment,
Ottawa,Ontario, Canada,tel. (613) 991-7331,email:
mkuchta@manitou.cse.dnd.ca;
or the author at CGI
GroupInc., 275Slater St., Ottawa,Ontario, KIP5H9,
Canada,tel. (613) 234-2155.
TENSAR
and information about it will shortly be
available on the FORMIS
WWW
site:
http://www.cse.dnd.ca/-formis/
2
119