Analysis of Security Vulnerabilities in S-100-Based Maritime Navigation Software
Hoyeon Cho, Changui Lee, Seojeong Lee

TL;DR
This paper finds that security vulnerabilities in maritime navigation software based on the S-100 standard are often missed by automated tools and highlights the need for improved security standards.
Contribution
The study reveals significant security flaws in S-100-compliant software that automated tools miss, emphasizing the need for updated security specifications in the standard.
Findings
Automated SAST tools failed to detect 83% of expert-identified vulnerabilities in S-100 software.
An unrestricted Lua interpreter flaw allows Remote Code Execution with a CVSS score of 9.3.
Security vulnerabilities stem from specification gaps in the S-100 standard, not just coding errors.
Abstract
The S-100 standard for Electronic Chart Display and Information Systems (ECDIS) uses Lua scripts to render electronic charts, yet lacks security specifications for script execution. This paper evaluates automated Static Application Security Testing (SAST) tools versus expert manual review for S-100-compliant software. Four SAST tools were applied alongside an expert review of OpenS100, a reference implementation for next-generation ECDIS. While automated tools identified numerous defects, they failed to detect 83% (19/23) of expert-identified vulnerabilities, including an unrestricted Lua interpreter flaw with a Common Vulnerability Scoring System (CVSS) score of 9.3. This vulnerability enables Remote Code Execution (RCE) via malicious portrayal catalogues, verified through Proof of Concept (PoC) development. The analysis demonstrates that SAST tools are constrained by limited maritime…
Genes, proteins, chemicals, diseases, species, mutations and cell lines named across the full text — each resolved to its canonical identifier and authoritative record.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWeb Application Security Vulnerabilities · Maritime Navigation and Safety · Information and Cyber Security
