chinese wall security policy
DESCRIPTION
Chinese Wall security policyTRANSCRIPT
-
THE CHINESE WALL SECURITY POLICY
Dr. David F.C. Brewer and Dr. Michael J. Nash
GAMMA SECURE SYSTEMS LIMITED9 Glenhurst Close, Backwater, Camberley, Surrey, GUI 7 9BQ, United Kingdom
ABSTRACT
Everyone who has seen the movie Wall Street wi~l
have seen a commercial security policy in action.The recent work of Clark and Wilson and theWIPCIS initiative (the Workshop on Integrity Policyfor Computer Information Systems) has drawnattention to the existence of a wide range of com-mercial security policies which are both signifi-cantly different from each other and quite alien tocurrent military thin king as implemented inproducts for the security mari
-
,!ktAhiw..,Qn9iwI iZ@Q~
We start by informally defining the concept of aChinese Wall and, in particular, what is meant bybeing on the wrong side of it. A formal specifica-tion will be found in Annex A.
All corporate information is stored in a hierarchi-cally arranged filing system such as that shown infigure 1. There are three levels of significance:
a) at the lowest level, we consider individualitems of information, each concerning a singlecorporation. In keeping with BLP, we willrefer to the files in which such informationis stored as objectq
b) at the intermediate level, we group all ob-jects which concern the same corporation to-gether into what we will call a companydatase~
c) at the highest level, we group together allcompany datasets whose corporations are i ncompetition. We will refer to each suchgroup as a conflict of interest class.
Associated with each object is the name of thecompany dataset to which it belongs and the nameof the conflict of interest class to which that com-pany dataset belongs. For example, the conflict ofinterest class names could be the business sectorheadings found in Stock exchange listings(Petrochemical, Financial Services, etc.); the com-pafiy dataset names could be the names of compa-nies listed under those headings. For conveniencelet us call the r-th object o. and refer to its com-pan y dataset as y. and its conflict of interestclass as Xr.
Thus, if our system maintained information say onEank-A, Oil Company-A and Oil Company-B:
a) all objects would belong to one of three com-pany datasets (i.e. yr would be 13ank-A,Oil Company-A or Oil Company-B) and
b) there would be two conflict of interestclasses, one for banks (containing Bank-Asdataset) and one for petroleum companies(containing Oil Company-As and Oil Company-Bs datasets), i.e. x. would be banks orpetroleum companies
This structure is of great importance to the modeland is represented in the annex as an axiom (Al).
,Si,mr?l,e ?X?Guri,tY
The basis of the Chinese Wall policy is that peopleare only allowed access to information which is notheld to conflict with any other information thatthey already possess. As far as the computersystem is c=ncerned the only information alreadypossessed by a user must be information that:
a) is held on the computer, and
b) that user has previously accessed.
Thus, in consideration of the Bank-A, Oil Company-A and Oil Company-B datasets mentioned previ-OUSI y, a new user may f reel y choose to accesswhatever datasets he Ii kes; as far as the computeris concerned a new user does not possess anyinformation and therefore no conf I ict can exist.Sometime later, however, such a conflict may exist.
Suppose our user accesses the Oil Company-Adataset first; we say that our user now possessesinformation concerning the Oil Company-A dataset.Sometime later he requests access to the Bank-Adataset. This is quite permissible since the Bank-Aand Oi I Company-A datasets belong to differentconflict of interest classes and therefore no con-flict exists. However, if he requests access to theOil Company-B dataset the request must be deniedsince a conflict does exist between the requesteddataset (Oi I Company-B) and one already possessed(Oil Company-A).
THE SET OF ALL OBJECTS, O1I
Conflict of :interest :classes : I f
:A :,B !C8 @8 1 ;
Company j : :datasets I #: 1 I
I 1 I 1.
:f:gih ;i ;J- :k :I:m:n
:1
1 II:1s : j individual objects
(conflict of interest class Acompany dataset g)
F,i,9,Mr%,l ,-,.The ,m,PQsitiQn,,,, Qt,, Qkd.fxts
We note that it does not matter whether the OilCompany-A dataset was accessed before or afterthe Bank-A dataset. However, were Oil Company-Bto be accessed before the request to access the OilCompany-A dataset, the restrictions would be quitedifferent. In this case access to the Oil Company-A dataset would be denied and our user wouldpossess {Oil Company-B, Bank-A} (as opposedto the request to access the Oil Company-B datasetbeing denied and the user possessing {OilCompany-A, Bank-A]).
What we have just described is a Chinese Wall. Wenote, in the first instance, that our user has com-plete freedom to access anything he cares tochcose. Once that initial choice has been made,however, a Chinese Wall is created for that useraround that dataset and we can think of thewrong side of this Wall as being any datasetwithin the same conflict of interest class as thatdataset within the Wall. Nevertheless, the userstill has freedom to access any other dataset which
207
-
is in a different conflict of interest class, but asscon as that choice is made, the Wall changesshape to Include the new dataset. Thus we seethat the Chinese Wall policy is a subtle combinationof free choice and mandatory control.
More formally, we can introduce ELPs concept of asubject to represent a user, and indeed any pro-gram that might act on his behalf. Again, it isonvenient to be able to identify any particular
subject, let us call it su for the u-th subject.However, we conclude that it is necessary for thecomputer to remember who has accessed what. An-nex A introduces a formalized device (D I ), N, to dothis. Essentially ,~ is a matrix with a COIUmn fOrevery object in the system and a row for everysubject; any particular cell therefore correspondsto a particular (subject, object) pair. ~ simplyrecords who has accessed what, in other wordswho possesses w h at. For example if a subject, SU,has accessed some object or then ,N(u, r) would beset true, otherwise it would be set false. Oncesome request by, say, SU, to access some new ob-ject, say OG is granted then ,~, of course, must beupdated; in particular ~ must be replaced by somenew N in which ,N(u, t) takes the value true.
Given this we can then define a security rule(axiom A2 in Annex A). This rule means that:
Access is only granted if the objectrequested:
a) is in the same company datasetas an object already access ed bythat subject, i.e. within the Wall,or
b) belongs to an entirely differentmnflict of interest class
(A2).
This rule is, however, insufficient in itself; it isnecessary to ensure that initially, i.e. before anysub ject has requested access to any object, that Nhas been correctly initialized (everywhere false).Moreover it is necessary to formal IY define the no-tion that, given such an initial state, then the firstever access will be granted. These two require-ments are stated as axioms AZ and A4(respectively) in Annex A.
This rule is analogous to the simple security ruledefined in the BLP model and since these two ruleswill be compared with each other, we will call ourrule (A2) the simp/e security rule as well. ( Notsurprisingly, we will define a *-property rule aswell, see later. )
The basic formulation of the Chinese Wall policy isexpressed. i n Annex A as axioms Al -A4. Giventhese, we can prove some useful theorems aboutthe policy. Annex A does this. The first two the-orems merely confirm that our informal concepts ofa Chinese Wall are indeed implied by these rules,in particular:
T1 ) Once a subject has accessed anobject the only other objectsaccessible by that subject liewithin the same company datasetor within a different conflict ofinterest class.
T2) A subject can at most have ac-cess to one company dataset ineach conflict of interest class.
A third theorem concerns a most pragmatic conse-quence of a Chinese Wall policy, and that is howmany people do you need to operate one?
T3) If for some conflict of interestclass X there are Xv ccinpanydatasets then the minimum num-ber of subjects which will allowevery object to be acceeee d byat least one subject is Xv.
This tells us that it is the conflict of interest classwith the largest number of member companydatasets (L, say) which will give us the an~wer.However, because of the free choice nature of thepolicy, should two or more users choose to accessthe same dataset then this number must be !n-creased. Moreover, if we had an Automobile classwith 5 motor companies (LY = 5) and five userseach with access to different motor companies, butall choose to access the same petroleum company,Oil Company-A, then who can access Oil Company-B?
Hence, in practice, it is not necessarily the largestconflict of interest class that gives us an accessi-bility problem. Lv is nevertheless the minimumnumber of subjects ever required and thus theminimum number of analysts the finance house mustemploy.
It is usual in the application of the Chinese Wallpolicy for company datasets to contain sensitivedata relating to individual corporations, the conflictof interest c!asses being in general business sec-tors. However it is considered important to beable to generally ccmpare such information withthat relating to other corporations. Clearly aproblem arises if access to any corporation is pro-hibited by the simple security rule due to someprevious access (a user can never compare OilCompany-As data with Oil Company Bs data, norcan he compare Bank-As data with Oil Company-Asdata if he has had previous access to Oil Company-Bs data). This restriction can, however, be re-moved if we use a sanitized form of the informationrequired.
Sanitization takes the form of disguising a corpo-rations information, in particular to prevent thediscovery of that corporations identity. Obviously,effective sanitization cannot work unless there issufficient data to prevent backward inference oforigin. Since it is not the objective of this paperto discuss the problem of inference we will assume
208
-
that sanitization is possible. In practice, this hasbeen found to be the case [3].
It seems sensible, therefore, to regard all companydata~ets, bar one, as containing sensitive in-
formation belonging to some particular corporation.We reserve the remaining dataset, YO (say), forsanitized information relating to all corporations(D2 in Annex A).
It is unnecessary to restrict access to such sani-tized information. This can be accomplished with-out need to rework any of the preceding thecry byasserting that this distinguished company dataset,yc., is the sole member of some distinguished con-flict of interest class, x~ (A5). In other words, ifan object bears the security label y~ then it mustalso bear the label x~ and vice versa. T~ tells us
that al I sub jects can access this company dataset.
*-F!wM-tY
Suppose two subjects, User-A and User-B, havebetween them access to the three datasets, Oi ICompany-A, Oil Company-B and Bank-A, in particu-lar User-A has access to Oil Company-A and Bank-A and User-B has access to Oil Company-B andBank-A. If User-A reads information from Oi I Com-pany-A and writes it to Bank-A then User-B canread Oil Company-A information. This should notbe permitted, however, because of the conflict ofinterest between Oil Company-A and Oil Company-B.Thus indirect violations of the Chinese Wall policyare possible.
We can prevent such violations by insisting that:
Write access is only permitted if
a) accees 1s permitted by the simplesecurity rule, and
b) no object can be read which isin a different company dataset tothe one for which write access isrequested and contains uneani-tized information.
(A6).
Given this rule we can prove that:
T4) The flow of u nsaniti zed in-formation is confined to its owncompany datase~ sanitized in-formation may however flow
f reel y throughout the system.
The rule is analogous to the *-property securityrule defined in the BLP model; we will therefore
call our rule (A6) the ~-property security rule aswell.
BEaLAm-M%U?L!.LA
It is instructive to compare the Chinese Wall policywith that of the Bell -LaPadula model [4, 5]. Bothp61icies are described in similar terms: the compo-sition and security attributes of the objects con-cerned and the rules for access, both in respect ofsimple-security and *-property.
We take each of these topics in turn and identify atransformation which permits the Bell -LaPadulamodel (BLP) to describe that aspect of the ChineseWall policy as faithfully as possible.
Qkhwt ,,,mmxitism
The BLP model places no constraints upon theinterrelationships between objects, in particular itdoes not require them to be hierarchically ar-ranged into company datasets and conflict of inter-est classes. Instead it imposes a structure uponthe security attributes themselves.
Each object within the BLP model [4] has a secu-rity label of the form (c/ass, {cat}) where
a) c/ass is the classification of the information(e.g. unclassified, confidential, secret)
b) cat is the formal category of the information(e.g. NOFOR).
Unlike the Chinese Wall policy, BLP attaches secu-rity attributes to subjects as well. They are com-plementary to object labels and have the form( c/ear, NTK) where:
a) clear is the subjects clearance, i.e. themaximum classification to which he is permit-ted access
b) NTK is the subjects need-to-know, i.e. thesum tots! of all categories to which he ispermitted access.
Although this Iabelling scheme is seemingly quitedifferent from that of figure 1, the two objectcompositions can be brought together quite simplyby:
a) reserving one BLP classification for sanitizedinformation and another for unsanitized in-formation
b) assigning each Chinese Wall (x, y) label to aunique BLP category
c) Iabelling each object containing unsanitlzedinformation with the BLP categorycorresponding to its (x, y) label and theBLP category of the sanitized dataset (xo,Yol.
The result of applying this transformation to theobject composition of figure 1 is shown in figure 2.
209
-
1: : 2; : 3: I
&: (A,f) : &: (B,i) : &: (C,l) !o: : 0: : 0: IE
4; : 5: : 6: :&i (A,g) : &l (B,.j) : &: (C,m) :0: : 0: : 0:
8*
7: : 8: : 9: 1I&: (A,h) ~ &: (B,k) : &: (C,n) :0: , 0; : 0: 1I
o: 111 (XO,YO) II 1t 1t 8
BLP also has a simple-security rule and a *-prop-erty rule:
a) EimPbHKXXArltY: access iS granted only if thesubjects clearance is greater than the ob-jects classification and the subjects need-to-know inc/udesthe objects category(ies)
b) ?!-KMXMW.XY: write access is granted only ifthe output objects classification is greaterthan the classification of al! input objects,and its category Includes the category(ies) ofall input objects.
We note that, in contrast to the Chinese Wall pol-icy, these rules do not constrain access by theobjects already possessed by a subject, but by thesecurity attributes of the objects in question.Even
a)
b)
c)
so, a transformation does exist:
give all subjects access to both sanitized andunsanitized objects
define a need-to-know category for all possi-ble combinations of object category whichsat isf y T2
assign one such need-to-know category toeach subject at the outset.
Referring to figure 2, for example, we would have27 combinations:
{o, 1, 2, 3},{O, 1, 2, 6},{o, 1, 2, 9},{o, 1, 5, 3}, . . . .
. . . ..{0. 7, 8, 9}
then assign one of these to each subject, e.g. ifhad three subjects, User-A, LJser-B and User-C,could assign them:
User-A has {0, 1, 2, 3}User-B has {O, 4, 8, 6]User-C has {O, 7, 5, S}
Now, the BLP simple security rule will work as wehave granted subjects need-to-know combinationsof company datasets for which no conflict of inter-est exists.. BLP *-property also works. The cate-gory of the input objects must be included in thecategory of the output objects; input objects must
therefore either contain sanitized information or beof the same company dataset as the output object.Moreover, unsanitized information dominates san-itized information.
These transformations give gcod account of BLPsability to model to Chinese Wall security policy;they are not, however, entirely satisfactory.
For example, suppose in the real world managementsuddenly required User-A to have access to com-pany dataset-g because User-B was taken sick;what then? We cannot just change User-As need-to-know to {O, 1, 8, 3] unless we know for certainthat he has not yet accessed company dataset-2;otherwise we would violate the Chinese Wall. TheBLP model does not provide the necessary informa-tion to answer this question.
Secondly, BLP only works if subjects are not giventhe freedom to choose which company datasets theywish to access. In other words, these trans-formations totally ignore the free choice nature ofthe Chine~e Wall policy. This freedom of choicecan be restored (e.g. by extending subject need-to-know to cover all company datasets) but only atthe expense of failing to express the mandatorycontrols.
Thus, we can use BLP to model ~ither the manda-tory part or the free choice part of the ChineseWall policy but not both at the same time. This isa somewhat fundamental restriction as the ChineseWall policy requires both! The Chinese Wall modelmust therefore be regarded as distinct from BLPand important in its own right.
(U&M ..AN.D...ILSC?N?N
It is interesting to consider the Chinese Wall policyin the light of Clark and Wilsons work. TheClark-Wilson model [1] defines a set of rules, basedon commercial data processing practices, which to-gether have the objective of maintaining data in-tegrity. One such rule (E2), cbserved in manycommercial systems [3], describes a finer degree ofaccess control than that required by BLP.Compatibility of the Chinese Wall model with E2 isimportant because of the practical significance ofthat rule; it would not be useful if in order tosatisfy E2 a system could not also satisfy theChinese Wall policy.
210
-
Rule E2 requires access to be controlled on the ba-sis of a set of relations of the form (user, pro-gram, object) which relates a user, a program, andthe objects that program may reference on behalfof that user. Of greatest interest is the observa-tion that if all users are permitted access to agiven process, which in turn is allowed to accessany object, then it does not follow that all usersare permitted access to all objscts. This may ap-ply in the case of a Chinese Wall policy where, forexample, some users may have access to a spread-sheet package but may not be permitted to use iton all company datasets to which they are per-mitted access.
A refin,9d.,9xmi,tiQn,,,,Qf,,,th,e,,,,,Gh~,n,-,,,M,all,,MUcy
The Chinese Wall policy as described so far refersto the users of the c.ystem. Thus we may interpretthe use of the word subject in the various axioms,definitions and theorems as users. To be more ex-plicit we define user as a human being who causesor attempts to cause a transaction in a system. Inparticular it is incorrect to associate subject witha ( user, process) pair si rice, A2 for example, WOUIdimply that any particular user could gain access totwo datasets within the same conflict of interestclass simply by accessing them via different pro-cesses.
We may then accommodate Clark and Wilsons ob-servation by simply requiring that:
a) users may only execute certain namedprOWSSQS (A7)
b) those pKKX3SSeS may only access certainobjects (A8).
Axiom A8 is defined in such a way as to maintainindependence between what a user is allowed to doand what a process is allowed to do. This allowsClari< and Wilsons observation to be incorporatedinto our model:
a) without change to any of the foregoing the-ory (in particular we simply restate all ax-ioms, definitions and theorems by replacingsiJb ject w i t h use,r)
b) redefining the overal I simple and .*-propertysecurity rules to be the logical conjunctionof al I user-object, user-p recess and process-object permissions.
Thus a process is allowed to access an object ifthe user requesting it is allowed to execute it andthat user, by the Chinese Wall policy, is allowed toaccess that object and that process is also allowedto access that object; write access is then per-
mitted only if the ,*p,roperty rule (A6) is satisfied.Thus we conclude that the Chinese Wall model isnot at variance with the observations of Clark and!#i! son.
Q!&RMA_mtwmmNs
In this paper we have explored a commercial secu-rity policy which represents the behaviour re-
q ui red of those persons who perform corporateanalysis for financial institutions. It can be dis-tinguished from Bell-LaPadula-like policies by theway that a users permitted accesses are con-strained by the history of his previous accesses.
We ha~e shown that the formal representation ofthe policy correctly permits a market analyst totalk to any corporation which does not create aconf Iict of interest with previous assignments.Failure to obey this policy would be considered, atbest, unprofessional and potential I y criminallyfraudulent. In some countries, showing that thepolicy has been enforced is sufficient to providelegal protection against charges of insider dealing.
Thus this is a real commercial policy which can beformally modelled, but not using a Bell-LaPadulabased zpproach. However, the Clark and Wilsonsaccess control observations are not at variancewith either the policy or its model as developedwithin this paper.
[1]
[21
[31
[4]
[5]
[6]
[71
Fw33wH.s
CLARK, D. R., and WILSON, D.R.A Comparison of Commercial and Military
Computer Security Policies IEEE S ymposi urnon Security and Privacy, Oakland, April 1987.
WIPCISReport of the Invitational Workshop on In-tegrity Policy in Computer Information Sys-tems (wIpcIs) Published by the NIST(formerly the NBS), April 1988.
BREWER, D.F.C.aThe Corporate Implications of CommercialSecurity Policies, Proceedings of CorporateComputer Security 89, PLF Communications,London, February 1989.
BELL, D.E, and LaPADULA, L.J.Secure Computer Systems: Unified Expositionand Multics Interpretation ESD-TR-75-306,MTR 2997 Rev. 1, The MITRE Corporation,March 1976.
McLEAN, J.$The Algebra of Security IEEE Symposi urnon Security and Privacy, Oakland, April 1988.
Her Majest ys Stationery Off ice, London,Securities and Investment Board Rules,Chapter III Part 5:08.
Her Majestys Stationery Office, London,Financial Services Act 1996, S48(2)(h), 1986.
211
-
ANNEX AFORMAL MODEl-
Let S be a set of subjects, O be a set of objectsand L a set of security labels (x, y). One such
label is associated with each object. We introduce
functions X(o) and Y(o) which determine re-spectively the x and y components of this securitylabel for a given object o.
We will refer to the x as conflict of interestclasses, the y as company datasets and introducethe notation Xj, Yj to mean X(oj) and Y(oj)respective y, Thus for some object ~j, xj is itsconflict of interest class and Yj is its companydataset.
Axi,m,,,,,l,:
.Y1 y2 ---> xl = x2
in other words, if any two objects O* and 02 be-long to the same company datzset then they alsobelong to the same conflict of interest class.
,Kkmku,, 1,:
in other words, if any two objects 01 and 02 be-long to different conflict of interest classes thenthey must belong to different company datasets.
f!mmyl y2 ---> xl = x2 (Al )
n.Qt (YI = Y2) Qr (xl = x2)
xl x2 ---> yl
-
Wwt:
SuppGse there are ?J subjects and for some conflict
of interest class, X, there are XV company datasets.Let all of these subjects have access to the same
company dataset, i.e. N subjects have access tocompany dataset (x, 1); and, by T2, no subjecthas access to company datas.et~ (X, 2)... (X, XV).
W!? can access one of these, say (X, 2), by reallo-cating one of the subjects with access to (X, 1) to(X, 2), i.e. N - 1 subjects with access to (X, 1), one
with access to (X, 2) and Xv - 2 inaccessibled atasets.
By induction, after n similar reallocations we haveN - n subjects with accsss to (X, 1), cne each for
(X, 2)... (X, n + 1) and Xv - (n + 1) inaccessibledatasets. In order that all data sets are accessiblewe require Xv = (n + 1) provided, of course, thatthe nu,mber of subjects with access to (X, 1) !s atleast one, i.e. N - n > 0. Hence we require thesmallest value of N such that:
XV. (n+l)~~N-n>O
N- XV+I>O
khich has a minimum when
i.e. kfhen N
PefinM2n, 2:
N- XY+l=I
Xf.
8ANI,T,IZED INIX2RMATKW
For acy object OS,
ys yo implies that os contains san[tizedi nf~rmatlon
js yo implies that cs contains unssnit/zeoinformation
Axim 5:y. ~.
In other words, if an object bears the security la-bel y~ then it must also bear the label XC. and viceversa. T2 tells us that al! subjects can access thiscompany dataset.
A,xi,m,_5:
Write access to any object ob by any subject suis permitted if and only if N(u, b) = true ~~dthere does not exist any object oa (~(u, a) = true)which can be read by sw for which:
Ya ~> .Yb w,d Ja y-
-nMxmM! *
The flow of unsanitized information is confined toits own company dataset; sanitized information mayhowever flow freely throughout the system.
,Rmfi
Let T = {(a, b)~~(u, a) = true ~d N(u, b) truefor some s. in S1. We will interpret (a, b) asmeaning that information may flow from Oa to Ob.The reflexive transitive closure P then defines allpossible information flows.
Let El = {(a, b)~(a, b) i,n OXO m,d Ya Yb ,~~.d Ya ye}. This is the set of all object pairs excludedby A6.
Thus the on! y possible information flows remainingafter the introduction of A6 are given by C = P
minus B:
{(a, b)ln~k (Ya YO)}
{(a, b)lnot (Ya Yb) or J@ (Ya ~> YcI)}
{(a, b)!(ya = Yti) w (Ya = YO)}
Hence information may only flow between objectswhich belong to the same company dataset ororiginate from the sanitized dataset.
EXT,ENSIQN,,,,E,QR,,,,,GLARK ,AND,, ,W,lkm
We now formally introduce the set P, the set ofprocesses which we may interpret as those pro-grams or sub-programs which a user may use toaccess whatever objects that the Chinese Wall pol-icy grants him access to. We let A be a relation ofSXP, representing those processes which a user isallowed to execute. Thus:
Axi,m 7:
,4 user, SU, may execute a process, pf, if and onlyif (u, f) is a member of A.
We augment L to include a third attribute, z (i.e.L = {(x, y, z)}, where z is a member of some set&7. Z(oj) is the function which determines the Z-component of the security label of a given objectOj ( ~j for short) and introduce PZ to representthe power set of Z. We then associate with eachand every procesz, p?, a member of PZ, determinedby the function PZ(pf), or Pzf for short. Weassert that p recesses can only access objectswhose z-attribute is included in those of thep recess, i.e.
Axif3fn *
A process pf may only access an object or if
2P ,Sub,siet. Qt P ~f.
213
-
The access rules are now governed by A2-A4 endA6-A8. In particular an initially secure state existswhen no user has ever accessed any object (A3)and the first ever access by any user to any ob-ject is entirely unrestrained (A4).
Users may, however, only access that object (saysu and or respectively) via some process pf where(u, f) jn A ,&md for which Z. s.wklset,,,,d Pzf (A7,A8).
Users may then access some other object ot= via pfif and only if for all ,N(u, c) true:
((u, f)l,n A) and(z. f$u,lx$f?t,d Pzf) ,WM
((X. Xr) W (YI2 = Yr))(A2, A7, A8)
and, finally users may only write information to anobject Ob provided that access is not prohibitedby any of the above rules and that there does notexist any object oa which can be read for which:
ya Yb mgi ya yo(A6).
214