From: AAAI Technical Report FS-95-02. Compilation copyright © 1995, AAAI (www.aaai.org). All rights reserved. TENSAR, A Context-orientedSystemModelingLanguage by WilliamSandberg-Maitland August,1995 Overthe past twoyears, a series of researchprojects involving the formal use of contexts applied to informationsystemmodelingin general and computer security in particular has been supported by the Communications Security Establishment in Ottawa, Canada.The notion of context we have evolved is implemented in a language we call TENSAR (Taxonomies,ENtities, Sets and Relations). present, the context mechanismin TENSAR allows abstract models constructed from a general set theoretic foundationto havedistinct context-dependent specifications. TheTEWSAR interpreter stores all model information in a semantic frame knowledge-basethat is partitioned by context. We haveconjecturedthat an algebraiclattice of contexts wouldbe appropriatefor the applications envisaged, and the current implementationof TENSAR supports this. TENSAR was developed as a meansof defining and expressingfacts about general computingsystemsand their models.In particular, modelsused in computer security were considered as the main focus of application. In [SANDBERG:93] an initial version of the language was developed and some candidate systems defined in TENSAR. Initially, TENSARwas designed to form a link betweenInformation Flow Algebras(IFAs)anda genericgraphicaluser interface (GUI). The motivatingconcept behind this phase the developmentwas to demonstrate that the IFA constructions and models could be presented graphically in a consistent way. TENSAR declarations were seen to hold the essential information of a generic GUIoriented to generic modelingconcerns. The general purpose of TENSAR has remained relatively constant throughoutits brief history. The syntactic definition and somedetails of scope have been modifiedto meet an evolving role within the Framework and Open Reference Model for 118 Information Security (FORMIS). [SANDBERG:95],TENSAR is described as a general ontological tool in documentingand referencing Systems in general, with a special interest in Information Security Models.In particular, TENSAR is proposedas the primaryinterchangeformatwithin FORMIS for : (a) IFAs, (b) Information Integrity Modeling,and (c) SystemComposabilityModeling. Whilethe full achievement of the aboveobjectives is part of ongoing and future work, some proof of concept involving IFA implementation within TENSAR is carried out in [SANDBERG:95]. ContextSemantics EachTENSAR metafile has a finite set of contexts, eachof whichcontaina set of constructions,i.e.entity, set, class, function,relation or axiomdefinitions.The constructions of any given context generatea finite set of first and/orsecond-orderlogical statementsin Knowledge Interchange Format(KIF), developed Knowledge SystemsLaboratory, Stanford University. This set of formulasis called the context theory. In order for a contextto be consistent, its theory must havea model.Alternatively, it mustbe demonstrated that there is someKIFstatementwhichis not logical consequenceof the context theory. Both of these tasks are beyondthe scope of TENSA1L but could be formally verified in EVES(by OdysseyResearch Associates,Canada),a formalmethodstool for which a TENSAR interface has been planned. Sincea consistent context theory has a model,it has a meaning,or semanticalcontent. If a context theory is inconsistent,no meaning can be ascribedto it, even though constructions within the context have meanings.Beyondthese consistencyconditions, there is no other consWaint that a context mustsatisfy. It is not necessarythat completedescriptionsof objects be present in the context theory. It mayalso be possible that two or more non-isomorphicmodels satisfy a contexttheory. In suchcases the contextis ambiguous, but not inconsistent. A context is non-ambiguous or finitely categorical if all finite modelsare isomorphic.In the area of application of TENSAR, infinite modelsare not generally required, thereforecategoricitypropertiesover infinite models are not dealt with at present. Todefine contextsin a moredirect syntactic way,wecan employthe notion of a model set, devised in [HIN’HKKA:69]. [SANDBERG:95] describes these semantics in more detail. References Views [SANDBERG:.94] Sandberg-Maitland, W., "Towards an OpenReferenceModelfor InformationSecurity", Research Report for Communications Security Establishment, March1994 [HINTIKKA:69] I-fintikka, J., ModelsforModalilies, Reidel, 1969 [SANDBERG:93] Sandberg-Maitland, W., ’qnformationFlowsAlgebras", ResearchReport for Communications Security Establishment, December 1993 Viewsare describedas a general filter on attribute domains,entities andother objects. Theglobal view can restrict or expandthe user’s ability to detect the specified viewelements.Viewsare not restricted to a specific context. Thecurrent viewdoes not modify any existing TENSAR construction. Theviewcontrols the degreeto whichinformationis hiddenor exposed to the viewer. Theuser has the capability to define a view and invoke any previously defined view. There is a capability to expandan existing viewby adding attributes domains, attributes, component domains,components,relations, sets, entities and other things. Similarly,all of the foregoingcategories can be excludedthrougha restriction of the current view. [SANDBERG:95] Sandberg-Maitland, W., "TENSAR:Semantics and Ontology", Research Report for Communications Security Establishment, March1995 [YOSHITAKA:94] Yoshitaka, A., et al, "Knowledge-AssistedContent-BasedRetrieval for MultimediaDatabases", 1EEEMultimedia, Winter, 1994,pp.12-21 In later versions of TENSAR, moresophisticated view mechanisms are plannedinvolvingpseudo-attributes. This would approach someof the capabilities of multi-media knowledge base systems (as in [YOSHITAKA:94]).Future versions of TENSAR will addnotionsof ’focus’ and’perspective’,but the semanticsof these are not resolvedat this point. At present, the syntax of TENSAR is strongly modeled on that of OntolinguafromKSL,StanfordUniversity. The work on TENSAR and its use of contexts is available from MilanS. Kuchta, INFOSEC Scientific Advisor, Communications Security Establishment, Ottawa,Ontario, Canada,tel. (613) 991-7331,email: mkuchta@manitou.cse.dnd.ca; or the author at CGI GroupInc., 275Slater St., Ottawa,Ontario, KIP5H9, Canada,tel. (613) 234-2155. TENSAR and information about it will shortly be available on the FORMIS WWW site: http://www.cse.dnd.ca/-formis/ 2 119