Analysis of Security Vulnerabilities in S-100-Based Maritime Navigation Software
Abstract
1. Introduction
2. Background and Related Work
2.1. S-100 Standard and Portrayal Engine Architecture
2.2. Software Vulnerability Detection Methods
2.3. Related Work
2.4. Research Gap and Contributions
3. Methodology
3.1. Analysis Target System and Environment
3.2. Automated Static Analysis Pipeline
3.3. Expert Manual Code Review
4. Findings
5. Case Study: Unrestricted Lua Interpreter
5.1. Vulnerability Discovery and Analysis
| Listing 1. Vulnerable Lua interpreter initialization in OpenS100. |
| lua_State* L = luaL_newstate(); luaL_openlibs(L); // Loads ALL standard libraries |
5.2. Attack Path Analysis
5.3. Proof-of-Concept Demonstration
5.4. Impact Assessment
5.5. Patch Validation and Mitigation
| Listing 2. Secure Lua interpreter configuration disabling dangerous libraries. |
| m_l = luaL_newstate (); |
| luaL_openlibs (m_l); // [SECURITY PATCH] Disable dangerous libraries luaL_dostring (m_l, "os = nil " "io = nil " "debug = nil " "package.loadlib = nil " "package.cpath = ’’ " "loadfile = nil " "dofile = nil " "load = nil " "rawset = nil " "loadstring = nil" ); |
5.5.1. Execution Order and Rawget Bypass Prevention
5.5.2. Validation Testing Results
5.5.3. Security and Standard Functional Compatibility
6. Limitations and Discussion
6.1. Limitations
6.2. PC Security Configuration Gap
6.3. Pathway to Standardization
6.4. Future Research
7. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
| ACARS | Aircraft Communications Addressing and Reporting System |
| ADS-B | Automatic Dependent Surveillance-Broadcast |
| AIS | Automatic Identification System |
| ASLR | Address Space Layout Randomization |
| CFG | Control Flow Guard |
| CTF | Capture The Flag |
| CVE | Common Vulnerabilities and Exposures |
| CVSS | Common Vulnerability Scoring System |
| CWE | Common Weakness Enumeration |
| DEF | Drawing Exchange Format |
| DEP | Data Execution Prevention |
| DoS | Denial of Service |
| ECDIS | Electronic Chart Display and Information Systems |
| ECU | Electronic Control Unit |
| ENC | Electronic Navigational Chart |
| FC | Feature Catalogue |
| GMDSS | Global Maritime Distress and Safety System |
| GNSS | Global Navigation Satellite System |
| HDF5 | Hierarchical Data Format version 5 |
| IACS | International Association of Classification Societies |
| IHO | International Hydrographic Organization |
| IMO | International Maritime Organization |
| IoT | Internet of Things |
| KHOA | Korea Hydrographic and Oceanographic Agency |
| LLM | Large Language Model |
| LOC | Lines of Code |
| MOF | Ministry of Oceans and Fisheries |
| MSVC | Microsoft Visual C++ |
| NMEA | National Marine Electronics Association |
| OSCP | Offensive Security Certified Professional |
| PC | Portrayal Catalogue |
| PoC | Proof of Concept |
| RCE | Remote Code Execution |
| RDP | Remote Desktop Protocol |
| RENC | Regional ENC Coordinating Center |
| SAST | Static Application Security Testing |
| SECOM | Secure Communication Between Ship and Shore |
| SMBv1 | Server Message Block version 1 |
| SOLAS | Safety of Life at Sea |
| VDR | Voyage Data Recorder |
References
- International Hydrographic Organization. IHO S-100 Universal Hydrographic Data Model, Edition 5.2.1. 2025. Available online: http://www.iho.int (accessed on 27 December 2025).
- International Electrotechnical Commission. IEC 63173-2:2022 Maritime Navigation and Radiocommunication Equipment and Systems—Data Interfaces—Part 2: Secure Communication Between Ship and Shore (SECOM); IEC: Geneva, Switzerland, 2022. [Google Scholar]
- International Hydrographic Organization. S-100 Part 15—Data Protection Scheme. In IHO S-100 Universal Hydrographic Data Model, Edition 5.2.1; IHO: Monaco, Monaco, 2025; pp. 687–722. [Google Scholar]
- International Hydrographic Organization. S-100 Part 9a—Portrayal (Lua). In IHO S-100 Universal Hydrographic Data Model, Edition 5.2.1; IHO: Monaco, Monaco, 2025; pp. 413–444. [Google Scholar]
- International Hydrographic Organization. S-100 Part 13—Scripting. In IHO S-100 Universal Hydrographic Data Model, Edition 5.2.1; IHO: Monaco, Monaco, 2025; pp. 623–658. [Google Scholar]
- MITRE Corporation. Common Weakness Enumeration (CWE). Available online: https://cwe.mitre.org/about/new_to_cwe.html (accessed on 27 December 2025).
- Park, J.; Shin, J.; Choi, B. Detection of Vulnerabilities by Incorrect Use of Variable Using Machine Learning. Electronics 2023, 12, 1197. [Google Scholar] [CrossRef]
- International Maritime Organization (IMO). Resolution MSC.428(98)—Maritime Cyber Risk Management in Safety Management Systems; IMO: London, UK, 2017. [Google Scholar]
- Li, M.; Zhou, J.; Chattopadhyay, S.; Goh, M. Maritime Cybersecurity: A Comprehensive Review. arXiv 2024, arXiv:2409.11417. [Google Scholar]
- Longo, G.; Russo, E.; Armando, A.; Merlo, A. Attacking (and defending) the maritime radar system. IEEE Trans. Inf. Forensics Secur. 2023, 18, 3575–3589. [Google Scholar] [CrossRef]
- Svilicic, B. Cyber-Security of Shipboard Navigational Computer-Based Systems. Int. J. Transp. Syst. 2024, 9, 1–3. [Google Scholar]
- Jo, Y.; Choi, O.; You, J.; Cha, Y.; Lee, D.H. Cyberattack Models for Ship Equipment Based on the MITRE ATT&CK Framework. Sensors 2022, 22, 1860. [Google Scholar] [CrossRef] [PubMed]
- National Vulnerability Database. CVE-2025-49844. Available online: https://nvd.nist.gov/vuln/detail/CVE-2025-49844 (accessed on 27 December 2025).
- National Vulnerability Database. CVE-2022-0543. Available online: https://nvd.nist.gov/vuln/detail/CVE-2022-0543 (accessed on 27 December 2025).
- Spravil, J.; Hemminghaus, C.; von Rechenberg, M.; Padilla, E.; Bauer, J. Detecting maritime GPS spoofing attacks based on NMEA sentence integrity monitoring. J. Mar. Sci. Eng. 2023, 11, 928. [Google Scholar] [CrossRef]
- Adámek, P. Security of the Lua Sandbox. Bachelor’s Thesis, Czech Technical University in Prague, Prague, Czech Republic, 2022. [Google Scholar]
- Strohmeier, M. Security in Next Generation Air Traffic Communication Networks. Ph.D. Thesis, University of Oxford, Oxford, UK, 2016. [Google Scholar]
- Schmittner, C.; Ma, Z.; Schoitsch, E.; Gruber, T. A Case Study of FMVEA and CHASSIS as Safety and Security Co-Analysis Method for Automotive Cyber-physical Systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security (CPSS ’15), Singapore, 14 April 2015; ACM: New York, NY, USA, 2015; pp. 69–80. [Google Scholar] [CrossRef]
- Ohm, M.; Plate, H.; Sykosch, A.; Meier, M. Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Proceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2020), Lisbon, Portugal, 24–26 June 2020; Springer: Cham, Switzerland, 2020; pp. 23–43. [Google Scholar] [CrossRef]
- Raymaker, A.; Kumar, A.; Wong, M.Y.; Pickren, R.; Chhotaray, A.; Li, F.; Zonouz, S.; Beyah, R. A Sea of Cyber Threats: Maritime Cybersecurity from the Perspective of Mariners. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (CCS ’25), Salt Lake City, UT, USA, 13–17 October 2025; ACM: New York, NY, USA, 2025; pp. 588–602. [Google Scholar] [CrossRef]
- Lipp, S.; Banescu, S.; Pretschner, A. An empirical study on the effectiveness of static C code analyzers for vulnerability detection. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022), Virtual, 18–22 July 2022; ACM: New York, NY, USA, 2022; pp. 544–555. [Google Scholar] [CrossRef]
- Charoenwet, W.; Thongtanunam, P.; Pham, V.-T.; Treude, C. An Empirical Study of Static Analysis Tools for Secure Code Review. In Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2024), Vienna, Austria, 16–20 September 2024; ACM: New York, NY, USA, 2024; pp. 691–703. [Google Scholar] [CrossRef]
- Li, K.; Chen, S.; Fan, L.; Feng, R.; Liu, H.; Liu, C.; Liu, Y.; Chen, Y. Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java. In Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2023), San Francisco, CA, USA, 3–9 December 2023; ACM: New York, NY, USA, 2023; pp. 921–933. [Google Scholar] [CrossRef]
- Xiang, J.; Fu, L.; Ye, T.; Liu, P.; Le, H.; Zhu, L.; Wang, W. LuaTaint: A Static Analysis System for Web Configuration Interface Vulnerability of Internet of Things Devices. IEEE Internet Things J. 2025, 12, 5970–5984. [Google Scholar] [CrossRef]
- Costin, A. Lua Code: Security Overview and Practical Approaches to Static Analysis. In Proceedings of the IEEE Security and Privacy Workshops (SPW), San Jose, CA, USA, 25 May 2017; IEEE: Piscataway, NJ, USA, 2017; pp. 30–38. [Google Scholar] [CrossRef]
- Qian, Z.; Zhong, F.; Hu, Q.; Jiang, Y.; Huang, J.; Ren, M.; Yu, J. Software Vulnerability Analysis Across Programming Language and Program Representation Landscapes: A Survey. arXiv 2025, arXiv:2503.20244. [Google Scholar] [CrossRef]
- Li, Z.; Dutta, S.; Naik, M. IRIS: LLM-Assisted Static Analysis for Detecting Security Vulnerabilities. arXiv 2025, arXiv:2405.17238. [Google Scholar]
- Lin, S. LLM-Driven Adaptive Source-Sink Identification and False Positive Mitigation for Static Analysis (AdaTaint). arXiv 2025, arXiv:2511.04023. [Google Scholar]
- Hu, J.; Jin, X.; Zeng, Y.; Liu, Y.; Li, Y.; Du, D.; Xie, K.; Zhu, H. QLPro: Automated Code Vulnerability Discovery via LLM and Static Code Analysis Integration. arXiv 2025, arXiv:2506.23644. [Google Scholar] [CrossRef]
- Wang, C.; Li, Z.; Dutta, S.; Naik, M. QLCoder: A Query Synthesizer For Static Analysis of Security Vulnerabilities. arXiv 2025, arXiv:2511.08462. [Google Scholar] [CrossRef]
- Bennett, G.; Hall, T.; Winter, E.; Counsell, S. Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools. In Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering (EASE ’24), Salerno, Italy, 18–21 June 2024; ACM: New York, NY, USA, 2024; pp. 614–623. [Google Scholar] [CrossRef]
- Vaarandi, R.; Tsiopoulos, L.; Visky, G.; Rehman, M.U.; Bahşi, H. A Systematic Literature Review of Cyber Security Monitoring in Maritime. IEEE Access 2025, 13, 85307–85329. [Google Scholar] [CrossRef]
- S-100 Expert Team. OpenS100. Available online: https://github.com/S-100ExpertTeam (accessed on 27 December 2025).
- Longo, G.; Orlich, A.; Musante, S.; Merlo, A.; Russo, E. MaCySTe: A virtual testbed for maritime cybersecurity. SoftwareX 2023, 23, 101426. [Google Scholar] [CrossRef]
- International Maritime Organization (IMO). SOLAS—Consolidated Edition, 2024, Chapter V—Regulation 19—Carriage Requirements For Shipborne Navigational Systems and Equipment; IMO: London, UK, 2024. [Google Scholar]
- International Hydrographic Organization. S-100 Infrastructure Centre Establishment Project Team (ICE PT) Report to HSSC-16, HSSC16-04.5A; IHO: Monaco, Monaco, 2024. [Google Scholar]
- International Association of Classification Societies. Unified Requirement E26: Cyber Resilience of Ships; IACS: London, UK, 2022. [Google Scholar]
- International Association of Classification Societies. Unified Requirement E27: Cyber Resilience of On-board Systems and Equipment; IACS: London, UK, 2022. [Google Scholar]





| Research Focus | Representative Studies | Key Limitation |
|---|---|---|
| ECDIS Security | [9,11,12] | Network-level only; no data standard security |
| S-100 Standard Security | Limited literature | Insufficient coverage despite 2029 mandate |
| Lua Sandbox Security | [13,16] | No maritime symbology application |
| Safety-Critical Systems | [17,18] | No embedded scripting frameworks |
| SAST Limitations | [21,22,23] | General vulnerabilities; 47–80% miss rates |
| Domain-Specific Analysis | [24,28] | IoT/general domains; no maritime tools |
| LLM-Assisted SAST | [27,29,30] | General code; no maritime application |
| Category | Definition | Example Issues |
|---|---|---|
| Memory | Memory management errors | Buffer Overflow, Memory Leak, Use-After-Free |
| Injection | Malicious command injection | SQL Injection, Script Injection, Command Injection |
| NullPointer | NULL pointer dereference | Uninitialized pointer usage |
| TypeSafety | Data type mismatch errors | Integer Overflow, Improper Type Casting |
| Initialization | Variable initialization omission | Uninitialized member variable usage |
| Input Validation | Lack of input validation | Path validation omission, File size validation absence |
| Logic | Program logic errors | Incorrect conditional statements, Resource leak |
| Concurrency | Concurrency handling errors | Race condition, Deadlock |
| Other | Other security issues | Configuration errors, Other weaknesses |
| Tool | Origin Code | Mapped Category | CWE |
|---|---|---|---|
| FlawFinder | CWE-78 | Injection | CWE-78 |
| FlawFinder | CWE-119 | Memory | CWE-119 |
| FlawFinder | CWE-362 | Concurrency | CWE-362 |
| CppCheck | nullPointer | NullPointer | CWE-476 |
| CppCheck | memleak | Memory | CWE-401 |
| CppCheck | uninitMemberVar | Initialization | CWE-457 |
| MSVC | C6386 | Memory | CWE-787 |
| MSVC | C6387 | NullPointer | CWE-476 |
| MSVC | C26495 | Initialization | CWE-457 |
| CodeQL | Inconsistent null | NullPointer | CWE-476 |
| CodeQL | Stack memory | Memory | CWE-562 |
| CodeQL | Constant return | Other | CWE-398 |
| Tool | Original Severity | Normalized | Rationale |
|---|---|---|---|
| FlawFinder | Risk Level 4-5 | High | Exploitable vulnerabilities |
| FlawFinder | Risk Level 3 | Medium | Potential security issues |
| FlawFinder | Risk Level 1-2 | Low | Minor concerns |
| CppCheck | Error | High | Critical errors |
| CppCheck | Warning | Medium | Potential bugs |
| CppCheck | Style, Performance | Low | Code quality issues |
| MSVC | C6386, C6387 | High | Memory/NULL pointer |
| MSVC | C26495, C4244 | Medium | Init./conversion |
| MSVC | C4819, C4101 | Low | Encoding/unused |
| CodeQL | Error | High | Semantic defects |
| CodeQL | Warning | Medium | Potential issues |
| CodeQL | Recommendation | Low | Code quality |
| No. | Vulnerability | Severity | Detection | PoC | Disclosure |
|---|---|---|---|---|---|
| 1 | Lua Interpreter (CWE-829) | 9.3 (Crit) | Expert | Yes (RCE) | Full (Section 5) |
| 2 | Integer Overflow (CWE-190) | 7.8 (High) | Expert | Yes (DoS) b | Restricted a |
| 3 | Buffer Overflow (CWE-120) | 7.8 (High) | Tools/Expert | Yes (DoS) c | Restricted a |
| 4 | Integer Truncation (CWE-681) | 4.3 (Med) | Expert | Yes (Code) d | Restricted a |
| 5–23 | Remaining 19 vulnerabilities (2.6–7.6) | Restricted a | Restricted a | ||
| Vulnerability Type | Det. | Reason for Failure |
|---|---|---|
| Unrestricted Lua Interpreter (CWE-829, 749) | 0/4 | Script engine APIs not flagged |
| SQL Injection (CWE-89) | 0/4 | Dynamic query not traced |
| Path Traversal (CWE-22) | 0/4 | Path validation not analyzed |
| Use-After-Free (CWE-416) | 1/4 | Complex lifetime analysis |
| Integer Overflow (CWE-190) | 0/4 | Cross-function overflow not traced |
| Uninitialized Member (CWE-457) | 3/4 | Simple syntactic pattern |
| Buffer Overflow (CWE-120) | 2/4 | Detected by MSVC, CodeQL |
| Function | Capability | Attack Scenario |
|---|---|---|
| os.execute() | Command execution | RCE, malware deployment |
| io.popen() | Process spawning | Backdoor, reverse shell |
| io.open() | File system access | Data exfiltration, ransomware |
| os.remove() | File deletion | Data destruction, DoS |
| debug.getinfo() | Runtime introspection | Sandbox escape, privilege escalation |
| loadfile() | Dynamic code loading | Payload staging, persistence |
| os.getenv() | Environment access | Credential harvesting |
| package.loadlib() | Native library loading | Arbitrary code execution |
| Target | Risk Factor | Status |
|---|---|---|
| os | execute, exit, remove, rename | Blocked |
| io | open, popen, read, write | Blocked |
| debug | Sandbox bypass capabilities | Blocked |
| package.loadlib | Native DLL loading | Blocked |
| package.cpath | C library search path | Empty string |
| loadfile/dofile | External file execution | Blocked |
| rawset | __newindex bypass, table tampering | Blocked |
| load/loadstring | Dynamic code evaluation | Blocked |
| Test Scenario | Expected Behavior | Result |
|---|---|---|
| Direct os.execute() | Returns nil, no execution | Pass |
| rawget(_G, “os”) bypass | Returns nil, bypass fails | Pass |
| Malicious PC loading | RCE blocked, chart renders | Pass |
| Normal PC loading | Chart rendering succeeds | Pass |
| Feature processing | Visualization rules execute | Pass |
| System stability | No crashes or errors | Pass |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Cho, H.; Lee, C.; Lee, S. Analysis of Security Vulnerabilities in S-100-Based Maritime Navigation Software. Sensors 2026, 26, 1246. https://doi.org/10.3390/s26041246
Cho H, Lee C, Lee S. Analysis of Security Vulnerabilities in S-100-Based Maritime Navigation Software. Sensors. 2026; 26(4):1246. https://doi.org/10.3390/s26041246
Chicago/Turabian StyleCho, Hoyeon, Changui Lee, and Seojeong Lee. 2026. "Analysis of Security Vulnerabilities in S-100-Based Maritime Navigation Software" Sensors 26, no. 4: 1246. https://doi.org/10.3390/s26041246
APA StyleCho, H., Lee, C., & Lee, S. (2026). Analysis of Security Vulnerabilities in S-100-Based Maritime Navigation Software. Sensors, 26(4), 1246. https://doi.org/10.3390/s26041246

