近年來,隨著電腦和網路的廣泛使用,其安全問題也日益明顯,大多數的軟體都存在著一些安全性漏洞,而這些漏洞一旦被不懷好意的駭客利用,將會給軟體公司和使用者造成龐大損失,因此,軟體漏洞挖掘工作就顯得十分重要。漏洞的誤報誤判是漏洞挖掘技術的普遍問題,且漏洞挖掘應快速省時,在儘可能最少的時間內發現較多可利用的漏洞。本研究著重在Microsoft Office文件處理程式漏洞挖掘系統實作,由於現有的模糊測試技術未針對檔案格式進行處理,耗費大量時間與系統資源;因此,透過探討現有軟體安全測試方法與弱點挖掘技術,並利用模糊測試理論及檔案格式分析,提出可提升漏洞挖掘效率之測試架構,供軟體漏洞研究人員實際運用。實驗數據顯示,本研究所建構之軟體漏洞挖掘系統更能快速找出Office文件處理軟體弱點,減少漏洞挖掘時間。
In recent years, computers and Internet are widely used in many areas. As a result, computer security issues are becoming evident as time passed by. All software more or less has security vulnerabilities. If exploited by malicious hackers, vulnerabilities will cause tremendous loss to software corporations and end users. There is no doubt that discovering software vulnerabilities is an important task.False declaration and false judgment are common problems that occur to vulnerability discovering technology. Vulnerabilities have to be discovered rapidly without wasting time; the available vulnerabilities have to be located as quickly as possible. In this connection, this study focused on the implementation of Microsoft Office file processing program’s vulnerability discovering system. As far as we can see, all fuzzy testing technologies consume lots of time and system resources without processing file formats. Therefore, this study examined all software security testing methods and vulnerability discovering technologies in an attempt to design a test framework based on fuzzy testing theory and file format analysis and thereby upgrade vulnerability discovering efficiency for the software vulnerability researchers’ use. According to the data obtained from the experiment, the software vulnerability discovering system implemented by this study is sufficient to locate Office file processing software’s weakness faster than any other system and to minimize the time needed for discovering vulnerability at the same time.