Costich, O., M. H. Kang, J. N. Froscher, "The SINTRA Data Model:  Structure and
  Operations,",  Proceedings of the 8th Annual IFIP WG 11.3 Working 
  Conference on Database Security. Bad Salzdetfurth, Germany, August 1994.

<blockquote>
Relational database systems are based on a powerful abstraction:  the
relational data model with the relational algebra and update
semantics.  If the database design (i. e., the way the data is
organized) satisfies criteria provided by this foundation, users have
assurance that they can retrieve information in a consistent,
predictable way.  Multilevel secure database systems must not only
provide assurance that information is protected based on its
sensitivity, but should be based on a data model as sound and complete
as the conventional relational model.  In this paper, we present a data
model with a relational algebra and update semantics for a multilevel
secure database system whose protection mechanisms are provided by the
replicated architecture.  The approach is to systematically describe
the effects of treating security labels as data and to define
explicitly the semantics of these data labels for relational database
operations.  We also briefly compare the SINTRA data model to earlier
ones from the SeaView project and their derivations.
</blockquote>