2 Background

This chapter provides the foundational and necessary background for this thesis, by exploring the core concepts and technological advances central to modern fuzzing and Large Language Models (LLMs). It begins with an in-depth definition and overview of fuzz testing—an automated technique for uncovering software bugs and vulnerabilities through randomized input generation—highlighting its methodology, tools, and impact. What follows is a discussion on LLMs and their transformative influence on natural language processing, programming, and code generation. Challenges and opportunities in applying LLMs to tasks such as fuzzing harness generation are examined, leading to a discussion of Neurosymbolic AI, an emerging approach that combines neural and symbolic reasoning to address the limitations of current AI systems. This multifaceted background establishes the context necessary for understanding the research and innovations presented in subsequent chapters.

2.1 Fuzz Testing

Fuzzing is an automated software-testing technique in which a Program Under Test (PUT) is executed with (pseudo-)random inputs in the hope of exposing undefined behavior. When such behavior manifests as a crash, hang, or memory-safety violation, the corresponding input constitutes a test-case that reveals a bug and often a vulnerability [1]. In a certain sense, fuzzing is a form of adversarial, penetration-style testing carried out by the defender before the adversary has an opportunity to do so. Interest in the technique surged after the publication of three practitioner-oriented books in 2007–2008 [2], [3], [4].

Historically, the term was coined by Miller et al. in 1990, who used “fuzz” to describe a program that “generates a stream of random characters to be consumed by a target program” [5]. This informal usage captured the essence of what fuzzing aims to do: stress test software by bombarding it with unexpected inputs to reveal bugs. To formalize this concept, we adopt Manes et al.’s rigorous definitions [1]:

Definition 2.1 (Fuzzing) Fuzzing is the execution of a Program Under Test (PUT) using input(s) sampled from an input space (the fuzz input space) that protrudes the expected input space of the PUT [1].

This means fuzzing involves running the target program on inputs that go beyond those it is typically designed to handle, aiming to uncover hidden issues. An individual instance of such execution—or a bounded sequence thereof—is called a fuzzing run. When these runs are conducted systematically and at scale with the specific goal of detecting violations of a security policy, the activity is known as fuzz testing (or simply fuzzing):

Definition 2.2 (Fuzz Testing) Fuzz testing is the use of fuzzing to test whether a PUT violates a security policy [1].

This distinction highlights that fuzz testing is fuzzing with an explicit focus on security properties and policy enforcement. Central to managing this process is the fuzzer engine, which orchestrates the execution of one or more fuzzing runs as part of a fuzz campaign. A fuzz campaign represents a concrete instance of fuzz testing tailored to a particular program and security policy:

Definition 2.3 (Fuzzer, Fuzzer Engine) A fuzzer is a program that performs fuzz testing on a PUT [1].

Definition 2.4 (Fuzz Campaign) A fuzz campaign is a specific execution of a fuzzer on a PUT with a specific security policy [1].

Throughout each execution within a campaign, a bug oracle plays a critical role in evaluating the program’s behavior to determine whether it violates the defined security policy:

Definition 2.5 (Bug Oracle) A bug oracle is a component (often inside the fuzzer) that determines whether a given execution of the PUT violates a specific security policy [1].

In practice, bug oracles often rely on runtime instrumentation techniques, such as monitoring for fatal POSIX signals (e.g., SIGSEGV) or using sanitizers like AddressSanitizer (ASan) [6]. Tools like LibFuzzer [7] commonly incorporate such instrumentation to reliably identify crashes or memory errors during fuzzing.

Most fuzz campaigns begin with a set of seeds—inputs that are well-formed and belong to the PUT’s expected input space—called a seed corpus. These seeds serve as starting points from which the fuzzer generates new test cases by applying transformations or mutations, thereby exploring a broader input space:

Definition 2.6 (Seed) An input given to the PUT that is mutated by the fuzzer to produce new test cases. During a fuzz campaign (Definition 2.4) all seeds are stored in a seed pool or corpus [1].

The process of selecting an effective initial corpus is crucial because it directly impacts how quickly and thoroughly the fuzzer can cover the target program’s code. This challenge—studied as the seed-selection problem—involves identifying seeds that enable rapid discovery of diverse execution paths and is non-trivial [8]. A well-chosen seed set often accelerates bug discovery and improves overall fuzzing efficiency.

2.1.1 Motivation

The purpose of fuzzing relies on the assumption that there are bugs within every program, which are waiting to be discovered. Therefore, a systematic approach should find them sooner or later.

— OWASP Foundation [9]

Fuzz testing provides several key advantages that contribute substantially to software quality and security. First, by uncovering vulnerabilities early in the development cycle, fuzzing reduces both the cost and risk associated with addressing security flaws after deployment. This proactive approach not only minimizes potential exposure but also streamlines the remediation process. Additionally, by subjecting software to the same randomized, adversarial inputs that malicious actors might use, fuzz testing puts defenders on equal footing with attackers, enhancing preparedness against emerging zero-day threats.

Beyond security, fuzzing plays a crucial role in improving the robustness and correctness of software systems. It is particularly effective at identifying logical errors and stability issues in complex, high-throughput APIs—such as decompressors and parsers—especially when these systems are expected to handle only well-formed inputs. Moreover, the integration of fuzz testing into continuous integration pipelines provides an effective guard against regressions. By systematically re-executing a corpus of previously discovered crashing inputs, developers can ensure that resolved bugs do not resurface in subsequent releases, thereby maintaining a consistent level of software reliability over time.

2.1.1.1 Success Stories

Heartbleed (CVE-2014-0160) [10], [11] arose from a buffer over-read¹ in the TLS implementation of the OpenSSL library [12], introduced on 1st of February 2012 and unnoticed until 1st of April 2014. Later analysis showed that a simple fuzz campaign exercising the TLS heartbeat extension would have revealed the defect almost immediately [13].

Likewise, the Shellshock (or Bashdoor) family of bugs in GNU Bash [14] enabled arbitrary command execution on many UNIX systems. While the initial flaw was fixed promptly, subsequent bug variants were discovered by Google’s Michał Zalewski using his own fuzzer—the now ubiquitous AFL fuzzer [15]—in late 2014 [16].

On the defensive tooling side, the security tool named Mayhem [17], [18]—developed by the company of the same name, formerly known as ForAllSecure—has since been adopted by the US Air Force, the Pentagon, Cloudflare, and numerous open-source communities. It has found and facilitated the remediation of thousands of previously unknown vulnerabilities, from errors in Cloudflare’s infrastructure to bugs in open-source projects like OpenWRT [19].

These cases underscore the central thesis of fuzz testing: exhaustive manual review is infeasible, but scalable stochastic exploration reliably surfaces the critical few defects that matter most.

2.1.2 Methodology

As previously discussed, fuzz testing of a PUT is typically conducted using a dedicated fuzzing engine (Definition 2.3). Among the most widely adopted fuzzers for C and C++ projects and libraries are AFL [15]—which has since evolved into AFL++ [20]—and LibFuzzer [7]. Within the OverHAuL framework, LibFuzzer is preferred due to its superior suitability for library fuzzing, whereas AFL++ predominantly targets executables and binary fuzzing.

2.1.2.1 LibFuzzer

LibFuzzer [7] is an in-process, coverage-guided evolutionary fuzzing engine primarily designed for testing libraries. It forms part of the LLVM ecosystem [21] and operates by linking directly with the library under evaluation. The fuzzer delivers mutated input data to the library through a designated fuzzing entry point, commonly referred to as the fuzz target or harness.

Definition 2.7 (Fuzz target) A function that accepts a byte array as input and exercises the application programming interface (API) under test using these inputs [7]. This construct is also known as a fuzz driver, fuzzer entry point, or fuzzing harness.

For the remainder of this thesis, the terms presented in Definition 2.7 will be used interchangeably.

To effectively validate an implementation or library, developers are required to author a fuzzing harness that invokes the target library’s API functions utilizing the fuzz-generated inputs. This harness serves as the principal interface for the fuzzer and is executed iteratively, each time with mutated input designed to maximize code coverage and uncover defects. To comply with LibFuzzer’s interface requirements, a harness must conform to the function signature shown in Listing 2.1. A more illustrative example of such a harness is provided in Listing 2.2.

Listing 2.1: This function receives the fuzzing input via a pointer to an array of bytes (Data) and its associated size (Size). Efficiency in fuzzing is achieved by invoking the API of interest within the body of this function, thereby allowing the fuzzer to explore a broad spectrum of behavior through systematic input mutation.

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  DoSomethingInterestingWithData(Data, Size);
  return 0;
}

Listing 2.2: This example demonstrates a minimal harness that triggers a controlled crash upon receiving HI! as input.

// test_fuzzer.cpp
#include <stdint.h>
#include <stddef.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size > 0 && data[0] == 'H')
    if (size > 1 && data[1] == 'I')
      if (size > 2 && data[2] == '!')
        __builtin_trap();
  return 0;
}

To compile and link such a harness with LibFuzzer, the Clang compiler—also part of the LLVM project [21]—must be used alongside appropriate compiler flags. For instance, compiling the harness in Listing 2.2 can be achieved as shown in Listing 2.3.

Listing 2.3: This example illustrates the compilation and execution workflow necessary for deploying a LibFuzzer-based fuzzing harness.

# Compile test_fuzzer.cc with AddressSanitizer and link against LibFuzzer.
clang++ -fsanitize=address,fuzzer test_fuzzer.cc
# Execute the fuzzer without any pre-existing seed corpus.
./a.out

2.1.2.2 AFL and AFL++

American Fuzzy Lop (AFL) [15], developed by Michał Zalewski, is a seminal fuzzer targeting C and C++ applications. Its core methodology relies on instrumented binaries to provide edge coverage feedback, thereby guiding input mutation towards unexplored program paths. AFL supports several emulation backends including QEMU [22]—an open-source CPU emulator facilitating fuzzing on diverse architectures—and Unicorn [23], a lightweight multi-platform CPU emulator. While AFL established itself as a foundational tool within the fuzzing community, its successor AFL++ [20] incorporates numerous enhancements and additional features to improve fuzzing efficacy.

AFL operates by ingesting seed inputs from a specified directory (seeds_dir), applying mutations, and then executing the target binary to discover novel execution paths. Execution can be initiated using the following command-line syntax:

./afl-fuzz -i seeds_dir -o output_dir -- /path/to/tested/program

AFL is capable of fuzzing both black-box and instrumented binaries, employing a fork-server mechanism to optimize performance. It additionally supports persistent mode execution as well as modes leveraging QEMU and Unicorn emulators, thereby providing extensive flexibility for different testing environments.

Although AFL is traditionally utilized for fuzzing standalone programs or binaries, it is also capable of fuzzing libraries and other software components. In such scenarios, rather than implementing the LLVMFuzzerTestOneInput style harness, AFL can use the standard main() function as the fuzzing entry point. Nonetheless, AFL also accommodates integration with LLVMFuzzerTestOneInput-based harnesses, underscoring its adaptability across varied fuzzing use cases.

2.1.3 Challenges in Adoption

Despite its potential for uncovering software vulnerabilities, fuzzing remains a relatively underutilized testing technique compared to more established methodologies such as Test-Driven Development (TDD). This limited adoption can be attributed, in part, to the substantial initial investment required to design and implement appropriate test harnesses that enable effective fuzzing processes. Furthermore, the interpretation of fuzzing outcomes—particularly the identification, diagnostic analysis, and prioritization of program crashes—demands considerable resources and specialized expertise. These factors collectively pose significant barriers to the widespread integration of fuzzing within standard software development and testing practices. OverHAuL addresses this challenge by facilitating the seamless integration of fuzzing into developers’ workflows, minimizing initial barriers and reducing upfront costs to an almost negligible level.

2.2 Large Language Models

Natural Language Processing (NLP), a subfield of AI, has a rich and ongoing history that has evolved significantly since its beginning in the 1990s [24], [25]. Among the most notable—and recent—advancements in this domain are LLMs, which have transformed the landscape of NLP and AI in general.

At the core of many LLMs is the attention mechanism, which was introduced by Bahdanau et al. in 2014 [26]. This pivotal innovation enabled models to focus on relevant parts of the input sequence when making predictions, significantly improving language understanding and generation tasks. Building on this foundation, the Transformer architecture was proposed by Vaswani et al. in 2017 [27]. This architecture has become the backbone of most contemporary LLMs, as it efficiently processes sequences of data, capturing long-range dependencies without being hindered by sequential processing limitations.

One of the first major breakthroughs utilizing the Transformer architecture was BERT (Bidirectional Encoder Representations from Transformers), developed by Devlin et al. in 2019 [28]. BERT’s bi-directional understanding allowed it to capture the context of words from both directions, which improved the accuracy of various NLP tasks. Following this, the Generative Pre-trained Transformer (GPT) series, initiated by OpenAI with the original GPT model in 2018 [29], further pushed the boundaries. Subsequent iterations, including GPT-2 [30], GPT-3 [31], and the most current GPT-4 [32], have continued to enhance performance by scaling model size, data, and training techniques.

In addition to OpenAI’s contributions, other significant models have emerged, such as Claude, DeepSeek-R1 and the Llama series (1 through 3) [33], [34], [35]. The proliferation of LLMs has sparked an active discourse about their capabilities, applications, and implications in various fields.

2.2.1 State-of-the-art GPTs

User-facing LLMs are generally categorized between closed-source and open-source models. Closed-source LLMs like ChatGPT, Claude, and Gemini [33], [36], [37] represent commercially developed systems often optimized for specific tasks without public access to their underlying weights. In contrast, open-source models², including the Llama series [35] and Deepseek [34], provide researchers and practitioners with access to model weights, allowing for greater transparency and adaptability.

2.2.2 Prompting

Interaction with LLMs typically occurs through chat-like interfaces where the user gives queries and tasks for the LLM to answer and complete, a process commonly referred to as prompting. A critical aspect of effective engagement with LLMs is the usage of different prompting strategies, which can significantly influence the quality and relevance of the generated outputs. Various approaches to prompting have been developed and studied, including zero-shot and few-shot prompting. In zero-shot prompting, the model is expected to perform the given task without any provided examples, while in few-shot prompting, the user offers a limited number of examples to guide the model’s responses [31].

To enhance performance on more complex tasks, several advanced prompting techniques have emerged. One notable strategy is the Chain of Thought approach (COT) [38], which entails presenting the model with sample thought processes for solving a given task. This method encourages the model to generate more coherent and logical reasoning by mimicking human-like cognitive pathways. A more refined but complex variant of this approach is the Tree of Thoughts technique [39], which enables the LLM to explore multiple lines of reasoning concurrently, thereby facilitating the selection of the most promising train of thought for further exploration.

In addition to these cognitive strategies, Retrieval-Augmented Generation (RAG) [40] is another innovative technique that enhances the model’s capacity to provide accurate information by incorporating external knowledge not present in its training dataset. RAG operates by integrating the LLM with an external storage system—often a vector store containing relevant documents—that the model can query in real-time. This allows the LLM to pull up pertinent and/or proprietary information in response to user queries, resulting in more comprehensive and accurate answers.

Moreover, the ReAct framework [41], which stands for Reasoning and Acting, empowers LLMs by granting access to external tools. This capability allows LLM instances to function as intelligent agents that can interact meaningfully with their environment through user-defined functions. For instance, a ReAct tool could be a function that returns a weather forecast based on the user’s current location. In this scenario, the LLM can provide accurate and truthful predictions, thereby mitigating risks associated with hallucinated responses.

2.2.3 LLMs for Coding

The impact of LLMs in software development in recent years is apparent, with hundreds of LLM-assistance extensions and Integrated Development Environments (IDEs) being published. Notable instances include tools like GitHub Copilot and IDEs such as Cursor [42], [43], which leverage LLM capabilities to provide developers with coding suggestions, auto-completions, and even real-time debugging assistance. Such innovations have introduced a layer of interaction that enhances productivity and fosters a more intuitive coding experience. Additionally, more and more LLMs are now specifically trained for usage in code-generation tasks [44], [45], [46].

One exemplary product of this innovation is vibecoding and the no-code movement, which describe the development of software by only prompting and tasking an LLM, i.e. without any actual programming required by the user. This constitutes a showcase of how LLMs can be used to elevate the coding experience by supporting developers as they navigate complex programming tasks [47]. By analyzing the context of the code being written, these sophisticated models can provide contextualized insights and relevant snippets, effectively streamlining the development process. Developers can benefit from reduced cognitive load, as they receive suggestions that not only cater to immediate coding needs but also promote adherence to best practices and coding standards.

Despite these advancements, it is crucial to recognize the inherent limitations of LLMs when applied to software development. While they can help in many aspects of coding, they are not immune to generating erroneous outputs—a phenomenon often referred to as “hallucination” [48]. Hallucinations occur when LLMs produce information that is unfounded or inaccurate, which can stem from several factors, including the limitations of their training data and the constrained context window within which they operate. As LLMs generate code suggestions based on the patterns learned from vast datasets, they may inadvertently propose solutions that do not align with the specific requirements of a task or that utilize outdated programming paradigms.

Moreover, the challenge of limited context windows can lead to suboptimal suggestions [49]. LLMs generally process a fixed amount of text when generating responses, which can impact their ability to fully grasp the nuances of complex coding scenarios. This may result in outputs that lack the necessary depth and specificity required for successful implementation. As a consequence, developers must exercise caution and critically evaluate the suggestions offered by these models, as reliance on them without due diligence could lead to the introduction of bugs or other issues in the code.

2.2.4 LLMs for Fuzzing

In the domain of fuzzing, recent research has explored the application of LLMs primarily along two axes: employing LLMs to generate seeds and inputs for the program under test [50], [51], [52], [53] and leveraging them to generate the fuzz driver itself (Chapter 5). This thesis focuses on the latter, recognizing that while using LLMs for seed generation offers certain advantages, the challenge of automating harness generation represents a deeper and more meaningful frontier. Significant limitations such as restricted context windows and the propensity for LLMs to hallucinate remain central concerns in this area [48], [49].

The process of constructing a fuzzing harness is inherently complex, demanding a profound understanding of the target library and the nuanced interactions among its components. Achieving this level of comprehension is often beyond the reach of LLMs when deployed in isolation. Empirical evidence by Jiang et al. [54] demonstrates that zero-shot harness generation with LLMs is both ineffective and prone to significant errors. Specifically, LLMs tend to rely heavily on patterns encountered during training, which leads to the erroneous invocation of APIs, particularly when their context window is pushed to its limits. This over-reliance on training data exacerbates the risk of hallucination, compounding the challenge of generating correct and robust fuzz drivers.

Compounding this issue is the inherent risk introduced by error-prone code synthesized by LLMs. In the context of fuzzing, a fundamental requirement is the clear attribution of observed failures: developers must be confident that detected crashes stem from vulnerabilities in the tested software rather than flaws or bugs inadvertently introduced by the harness. This necessity imposes an additional verification burden, increasing developers’ cognitive load and diverting attention from the primary goal of meaningful software evaluation and improvement.

Enhancing the reliability of LLM-generated harnesses thus necessitates systematic and programmatic evaluation and validation of generated artifacts [55]. Such validation involves implementing structured techniques to rigorously assess both the accuracy and robustness of the code, confirming that it interacts correctly with the relevant software components and behaves as intended. This approach aligns with the emerging framework of Neurosymbolic AI (Section 2.3), which integrates the statistical learning capabilities of neural networks with the rigor and precision of symbolic reasoning. By leveraging the strengths of both paradigms, neuroscience-inspired symbolic methods [56] may offer pathways toward more reliable and effective LLM-generated fuzzing harnesses, facilitating a smoother integration of automated testing practices into established software development pipelines [57], [58].

2.3 Neurosymbolic AI

Neurosymbolic AI represents a groundbreaking fusion of neural network methodologies with symbolic execution techniques and tools, providing a multi-faceted approach to overcoming the inherent limitations of traditional AI paradigms [59], [60]. This innovative synthesis seeks to combine the strengths of both neural networks, which excel in pattern recognition and data-driven learning, and symbolic systems, which offer structured reasoning and interpretability. By integrating these two approaches, neurosymbolic AI aims to create cognitive models that are not only more accurate but also more robust in problem-solving contexts.

At its core, Neurosymbolic AI facilitates the development of AI systems that are capable of understanding and interpreting feedback in real-world scenarios [61]. This characteristic is particularly significant in the current landscape of artificial intelligence, where LLMs are predominant. In this context, Neurosymbolic AI is increasingly viewed as a critical solution to pressing issues related to explainability, attribution, and reliability in AI systems [55], [62]. These challenges are essential for ensuring that AI systems can be trusted and effectively utilized in various applications, from business to healthcare.

The burgeoning field of neurosymbolic AI is still in its nascent stages, with ongoing research and development actively exploring its potential to enhance attribution methodologies within large language models. By addressing these critical challenges, Neurosymbolic AI can significantly contribute to the broader landscape of trustworthy AI systems, allowing for more transparent and accountable decision-making processes [55], [59], [62].

Moreover, the application of neurosymbolic AI within the domain of fuzzing is gaining traction, paving the way for innovative explorations. This integration of LLMs with symbolic systems opens up new avenues for research. Currently, there are only a limited number of tools that support such hybrid approaches (Chapter 5). Among these, OverHAuL constitutes a Neuro[Symbolic] tool, as classified by Henry Kautz’s taxonomy [63], [64]. This means that the neural model—specifically the LLM—can leverage symbolic reasoning tools—in this case a source code explorer (Section 3.6)—to augment its reasoning capabilities. This symbiotic relationship enhances the overall efficacy and versatility of LLMs for fuzzing harnesses generation, demonstrating the profound potential held by the fusion of neural and symbolic methodologies.

[1]

V. J. M. Manes et al., “The Art, Science, and Engineering of Fuzzing: A Survey,” Apr. 07, 2019. doi: 10.48550/arXiv.1812.00140. Available: http://arxiv.org/abs/1812.00140

[2]

A. Takanen, J. DeMott, C. Miller, and A. Kettunen, Fuzzing for software security testing and quality assurance, Second edition. in Information security and privacy library. Boston London Norwood, MA: Artech House, 2018.

[3]

M. Sutton, A. Greene, and P. Amini, Fuzzing: Brute force vulnerabilty discovery. Upper Saddle River, NJ: Addison-Wesley, 2007.

[4]

N. Rathaus and G. Evron, Open source fuzzing tools. Burlington, MA: Syngress Pub, 2007.

[5]

B. P. Miller, L. Fredriksen, and B. So, “An empirical study of the reliability of UNIX utilities,” Commun. ACM, vol. 33, no. 12, pp. 32–44, Dec. 1990, doi: 10.1145/96267.96279. Available: https://dl.acm.org/doi/10.1145/96267.96279

[6]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov, “AddressSanitizer: A fast address sanity checker,” in 2012 USENIX annual technical conference (USENIX ATC 12), 2012, pp. 309–318. Available: https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryany

[7]

LLVM Project, “libFuzzer – a library for coverage-guided fuzz testing. — LLVM 21.0.0git documentation,” 2025. Available: https://llvm.org/docs/LibFuzzer.html

[8]

A. Rebert et al., “Optimizing seed selection for fuzzing,” in Proceedings of the 23rd USENIX conference on Security Symposium, in SEC’14. USA: USENIX Association, Aug. 2014, pp. 861–875.

[9]

OWASP Foundation, “Fuzzing.” Available: https://owasp.org/www-community/Fuzzing

[10]

Blackduck, Inc., “Heartbleed Bug,” Mar. 07, 2025. Available: https://heartbleed.com/

[11]

CVE Program, “CVE - CVE-2014-0160,” 2014. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160

[12]

The OpenSSL Project, “Openssl/openssl.” OpenSSL, Jul. 15, 2025. Available: https://github.com/openssl/openssl

[13]

D. Wheeler, “How to Prevent the next Heartbleed,” 2014. Available: https://dwheeler.com/essays/heartbleed.html

[14]

GNU Project, “Bash - GNU Project - Free Software Foundation.” Available: https://www.gnu.org/software/bash/

[15]

M. Zalewski, “American fuzzy lop.” Available: https://lcamtuf.coredump.cx/afl/

[16]

J. Saarinen, “Further flaws render Shellshock patch ineffective,” Sep. 29, 2014. Available: https://www.itnews.com.au/news/further-flaws-render-shellshock-patch-ineffective-396256

[17]

T. Avgerinos et al., “The mayhem cyber reasoning system,” IEEE Security & Privacy, vol. 16, no. 2, pp. 52–60, 2018.

[18]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley, “Unleashing mayhem on binary code,” in 2012 IEEE symposium on security and privacy, IEEE, 2012, pp. 380–394.

[19]

T. Simonite, “This Bot Hunts Software Bugs for the Pentagon,” Wired, Jun. 01, 2020. Available: https://www.wired.com/story/bot-hunts-software-bugs-pentagon/

[20]

M. Heuse, H. Eißfeldt, A. Fioraldi, and D. Maier, “AFL++.” Jan. 2022. Available: https://github.com/AFLplusplus/AFLplusplus

[21]

LLVM Project, “The LLVM Compiler Infrastructure Project,” 2025. Available: https://llvm.org/

[22]

F. Bellard, P. Maydell, and QEMU Team, “QEMU.” May 29, 2025. Available: https://www.qemu.org/

[23]

Unicorn Engine, “Unicorn-engine/unicorn.” Unicorn Engine, Jul. 15, 2025. Available: https://github.com/unicorn-engine/unicorn

[24]

H. Li, “Language models: Past, present, and future,” Commun. ACM, vol. 65, no. 7, pp. 56–63, Jun. 2022, doi: 10.1145/3490443. Available: https://dl.acm.org/doi/10.1145/3490443

[25]

Z. Wang, Z. Chu, T. V. Doan, S. Ni, M. Yang, and W. Zhang, “History, development, and principles of large language models: An introductory survey,” AI Ethics, vol. 5, no. 3, pp. 1955–1971, Jun. 2025, doi: 10.1007/s43681-024-00583-7. Available: https://doi.org/10.1007/s43681-024-00583-7

[26]

D. Bahdanau, K. Cho, and Y. Bengio, “Neural Machine Translation by Jointly Learning to Align and Translate,” May 19, 2016. doi: 10.48550/arXiv.1409.0473. Available: http://arxiv.org/abs/1409.0473

[27]

A. Vaswani et al., “Attention Is All You Need,” Aug. 01, 2023. doi: 10.48550/arXiv.1706.03762. Available: http://arxiv.org/abs/1706.03762

[28]

J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding,” May 24, 2019. doi: 10.48550/arXiv.1810.04805. Available: http://arxiv.org/abs/1810.04805

[29]

A. Radford, K. Narasimhan, T. Salimans, and I. Sutskever, “Improving language understanding by generative pre-training,” 2018, Available: https://www.mikecaptain.com/resources/pdf/GPT-1.pdf

[30]

A. Radford, J. Wu, R. Child, D. Luan, D. Amodei, and I. Sutskever, “Language models are unsupervised multitask learners,” OpenAI blog, vol. 1, no. 8, p. 9, 2019, Available: https://storage.prod.researchhub.com/uploads/papers/2020/06/01/language-models.pdf

[31]

T. B. Brown et al., “Language Models are Few-Shot Learners,” Jul. 22, 2020. doi: 10.48550/arXiv.2005.14165. Available: http://arxiv.org/abs/2005.14165

[32]

OpenAI et al., “GPT-4 Technical Report,” Mar. 04, 2024. doi: 10.48550/arXiv.2303.08774. Available: http://arxiv.org/abs/2303.08774

[33]

Anthropic, “Claude,” 2025. Available: https://claude.ai/new

[34]

DeepSeek-AI et al., “DeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement Learning,” Jan. 22, 2025. doi: 10.48550/arXiv.2501.12948. Available: http://arxiv.org/abs/2501.12948

[35]

A. Grattafiori et al., “The Llama 3 Herd of Models,” Nov. 23, 2024. doi: 10.48550/arXiv.2407.21783. Available: http://arxiv.org/abs/2407.21783

[36]

OpenAI, “ChatGPT,” 2025. Available: https://chatgpt.com

[37]

Google, “‎Google Gemini,” 2025. Available: https://gemini.google.com

[38]

J. Wei et al., “Chain-of-Thought Prompting Elicits Reasoning in Large Language Models,” Jan. 10, 2023. doi: 10.48550/arXiv.2201.11903. Available: http://arxiv.org/abs/2201.11903

[39]

S. Yao et al., “Tree of Thoughts: Deliberate Problem Solving with Large Language Models,” Dec. 03, 2023. doi: 10.48550/arXiv.2305.10601. Available: http://arxiv.org/abs/2305.10601

[40]

P. Lewis et al., “Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,” Apr. 12, 2021. doi: 10.48550/arXiv.2005.11401. Available: http://arxiv.org/abs/2005.11401

[41]

S. Yao et al., “ReAct: Synergizing Reasoning and Acting in Language Models,” Mar. 10, 2023. doi: 10.48550/arXiv.2210.03629. Available: http://arxiv.org/abs/2210.03629

[42]

Anysphere, “Cursor - The AI Code Editor,” 2025. Available: https://cursor.com/

[43]

Microsoft, “GitHub Copilot · Your AI pair programmer,” 2025. Available: https://github.com/features/copilot

[44]

E. Nijkamp et al., “CodeGen: An open large language model for code with multi-turn program synthesis,” ICLR, 2023.

[45]

E. Nijkamp, H. Hayashi, C. Xiong, S. Savarese, and Y. Zhou, “CodeGen2: Lessons for training llms on programming and natural languages,” ICLR, 2023.

[46]

OpenAI, “Introducing GPT-4.1 in the API,” Apr. 14, 2025. Available: https://openai.com/index/gpt-4-1/

[47]

A. Sarkar and I. Drosos, “Vibe coding: Programming through conversation with artificial intelligence,” Jun. 29, 2025. doi: 10.48550/arXiv.2506.23253. Available: http://arxiv.org/abs/2506.23253

[48]

L. Huang et al., “A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions,” ACM Trans. Inf. Syst., vol. 43, no. 2, pp. 1–55, Mar. 2025, doi: 10.1145/3703155. Available: http://arxiv.org/abs/2311.05232

[49]

J. Kaddour, J. Harris, M. Mozes, H. Bradley, R. Raileanu, and R. McHardy, “Challenges and Applications of Large Language Models,” Jul. 19, 2023. doi: 10.48550/arXiv.2307.10169. Available: http://arxiv.org/abs/2307.10169

[50]

Y. Deng, C. S. Xia, H. Peng, C. Yang, and L. Zhang, “Large Language Models Are Zero-Shot Fuzzers: Fuzzing Deep-Learning Libraries via Large Language Models,” in Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, in ISSTA 2023. New York, NY, USA: Association for Computing Machinery, Jul. 2023, pp. 423–435. doi: 10.1145/3597926.3598067. Available: https://dl.acm.org/doi/10.1145/3597926.3598067

[51]

G. Black, V. Mathew Vaidyan, and G. Comert, “Evaluating Large Language Models for Enhanced Fuzzing: An Analysis Framework for LLM-Driven Seed Generation,” IEEE Access, vol. 12, pp. 156065–156081, 2024, doi: 10.1109/ACCESS.2024.3484947. Available: https://ieeexplore.ieee.org/abstract/document/10731701

[52]

W. Shi, Y. Zhang, X. Xing, and J. Xu, “Harnessing Large Language Models for Seed Generation in Greybox Fuzzing,” Nov. 27, 2024. doi: 10.48550/arXiv.2411.18143. Available: http://arxiv.org/abs/2411.18143

[53]

Y. Deng, C. S. Xia, C. Yang, S. D. Zhang, S. Yang, and L. Zhang, “Large Language Models are Edge-Case Fuzzers: Testing Deep Learning Libraries via FuzzGPT,” Apr. 04, 2023. doi: 10.48550/arXiv.2304.02014. Available: http://arxiv.org/abs/2304.02014

[54]

Y. Jiang et al., “When Fuzzing Meets LLMs: Challenges and Opportunities,” in Companion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering, in ACM Conferences. 2024, pp. 492–496. doi: 10.1145/3663529.3663784. Available: https://dl.acm.org/doi/abs/10.1145/3663529.3663784

[55]

D. Tilwani, R. Venkataramanan, and A. P. Sheth, “Neurosymbolic AI approach to Attribution in Large Language Models,” Sep. 30, 2024. doi: 10.48550/arXiv.2410.03726. Available: http://arxiv.org/abs/2410.03726

[56]

D. Kahneman, Thinking, fast and slow, 1st ed. New York: Farrar, Straus and Giroux, 2011.

[57]

A. Mastropaolo and D. Poshyvanyk, “A Path Less Traveled: Reimagining Software Engineering Automation via a Neurosymbolic Paradigm,” May 04, 2025. doi: 10.48550/arXiv.2505.02275. Available: http://arxiv.org/abs/2505.02275

[58]

A. Velasco, A. Garryyeva, D. N. Palacio, A. Mastropaolo, and D. Poshyvanyk, “Toward Neurosymbolic Program Comprehension,” Feb. 03, 2025. doi: 10.48550/arXiv.2502.01806. Available: http://arxiv.org/abs/2502.01806

[59]

A. Sheth, K. Roy, and M. Gaur, “Neurosymbolic AI – Why, What, and How,” May 01, 2023. doi: 10.48550/arXiv.2305.00813. Available: http://arxiv.org/abs/2305.00813

[60]

A. d’Avila Garcez and L. C. Lamb, “Neurosymbolic AI: The 3rd Wave,” Dec. 16, 2020. doi: 10.48550/arXiv.2012.05876. Available: http://arxiv.org/abs/2012.05876

[61]

D. Ganguly, S. Iyengar, V. Chaudhary, and S. Kalyanaraman, “Proof of Thought : Neurosymbolic Program Synthesis allows Robust and Interpretable Reasoning,” Sep. 25, 2024. doi: 10.48550/arXiv.2409.17270. Available: http://arxiv.org/abs/2409.17270

[62]

M. Gaur and A. Sheth, “Building Trustworthy NeuroSymbolic AI Systems: Consistency, Reliability, Explainability, and Safety,” Dec. 05, 2023. doi: 10.48550/arXiv.2312.06798. Available: http://arxiv.org/abs/2312.06798

[63]

M. K. Sarker, L. Zhou, A. Eberhart, and P. Hitzler, “Neuro-symbolic artificial intelligence: Current trends,” AIC, vol. 34, no. 3, pp. 197–209, Mar. 2022, doi: 10.3233/aic-210084. Available: https://journals.sagepub.com/doi/full/10.3233/AIC-210084

[64]

H. Kautz, “The Third AI Summer,” presented at the 34th Annual Meeting of the Association for the Advancement of Artificial Intelligence, Feb. 10, 2020. Available: https://www.youtube.com/watch?v=_cQITY0SPiw