LINK Is Not a Kernel (LINK) is a new operating system architecture developed for IA-32 (x86) computers. In LINK there is no kernel, but instead a set of system services which cooperate to perform the duties of an OS. All these system services, except one, run at privilege level 3. The only privilege level 0 system service is the task switcher which has the responsibility of performing context switches between tasks. A new security model has been developed for LINK that use hierachically named capabilities. This security model is formally analysed and it is proved that it can be used to reason about access control and information flow. It is also proved that the LINK security model can simulate the Unix user-group security model.