# Analysis of Security Vulnerabilities in S-100-Based Maritime Navigation Software

**Authors:** Hoyeon Cho, Changui Lee, Seojeong Lee

PMC · DOI: 10.3390/s26041246 · 2026-02-14

## TL;DR

This paper finds that security vulnerabilities in maritime navigation software based on the S-100 standard are often missed by automated tools and highlights the need for improved security standards.

## Contribution

The study reveals significant security flaws in S-100-compliant software that automated tools miss, emphasizing the need for updated security specifications in the standard.

## Key findings

- Automated SAST tools failed to detect 83% of expert-identified vulnerabilities in S-100 software.
- An unrestricted Lua interpreter flaw allows Remote Code Execution with a CVSS score of 9.3.
- Security vulnerabilities stem from specification gaps in the S-100 standard, not just coding errors.

## Abstract

The S-100 standard for Electronic Chart Display and Information Systems (ECDIS) uses Lua scripts to render electronic charts, yet lacks security specifications for script execution. This paper evaluates automated Static Application Security Testing (SAST) tools versus expert manual review for S-100-compliant software. Four SAST tools were applied alongside an expert review of OpenS100, a reference implementation for next-generation ECDIS. While automated tools identified numerous defects, they failed to detect 83% (19/23) of expert-identified vulnerabilities, including an unrestricted Lua interpreter flaw with a Common Vulnerability Scoring System (CVSS) score of 9.3. This vulnerability enables Remote Code Execution (RCE) via malicious portrayal catalogues, verified through Proof of Concept (PoC) development. The analysis demonstrates that SAST tools are constrained by limited maritime domain knowledge and challenges in analyzing cross-language semantic risks at the C++–Lua interface. The findings establish that identified vulnerabilities stem from specification gaps in the S-100 standard rather than isolated coding errors. These results indicate that functional safety certifications require supplementation to address design-level security risks. The evidence supports that the International Hydrographic Organization (IHO) incorporate security controls, such as script sandboxing and library restrictions, into the S-100 framework before the 2029 mandatory adoption deadline.

## Full-text entities

- **Genes:** S100A1 (S100 calcium binding protein A1) [NCBI Gene 6271] {aka S100, S100-alpha, S100A}

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12943942/full.md

---
Source: https://tomesphere.com/paper/PMC12943942