[cap-talk] Any hope in RSA 2008?

Jonathan S. Shapiro shap at eros-os.com
Sat Apr 5 09:15:55 CDT 2008

On Fri, 2008-04-04 at 22:08 -0700, Raoul Duke wrote:
> >  > perhaps the Titanic might also help as a story which says "even those
> >  > people who live and breathe POLA are going to find new issues which
> >  > have to be resolved; nothing is perfect...
> >
> >  I guess I don't think so. Titanic was the *appearance* of POLA, not the
> >  reality.
> I see what you mean. However, to try to play devil's advocate for a
> moment, I'm guessing that there will be at least one or two tricky
> bugs or thinkos in any security system.... Just like the Titanic,
> things can be darned obvious in retrospect.

The Titanic problems were darned obvious before the ship ever left the
yards. That failure wasn't a case of "one or two tricky bugs". It was a
case of systemically bad design. Ironically, none of the bad elements
were critical in the sinking.

A brief overview of the design can be found here:


most of the issues that it identifies are self-evident. A case can be
made that only the D through O bulkheads were meaningful compartments.
[Aside: note that all were pragmatic compromises, much like the holes
that people poke in their computer security.]

In the case of Titanic, none of these issues were the proximate cause of
failure, though several probably accelerated the sinking *slightly*. The
proximate cause was that the iceberg ripped a horizontal hole in the
hull below the waterline, flooding 5 of the 16 compartments. The loss of
buoyancy was sufficient to bring D-deck below water at the front. The
compartment boundaries stopped at D-deck, because unimpeded passage was
required above that level for a variety of reasons. Once water crossed
the D-deck line, progressive flooding was inevitable even if the
compartments themselves were perfect. In short, the degree of failure
anticipated by the design was greatly exceeded.

It is nearly certain that the ship would have survived compromise of two
adjacent forward compartments, and conceivable that the design might
have survived compromise of three, but given the holes in the
compartments this would depend heavily on maintaining power for pumps.
In practice, water and engines don't really get along, so a large enough
compromise aft of bulkhead D would be problematic.

Note that if all of the deficiencies mentioned in the article were
resolved, having water rise above D-deck would still be fatal. One
reason the ship sank so quickly was that successive compartments flooded
just about as fast as the water could fill them.


