Abstract
Some new security models are presented as a means of understanding the complexities of the Compartmented Mode Workstation dual-label design and the different implementations that are available. The security models, which are based upon a realistic abstraction of a computer, have floating security labels. The models are pessimistic, in that they assume that if information is potentially able to flow then it does so. The models vary in their degrees of pessimism, and thus provide different guarantees about the accuracy of a security label.<>