6  Future Work

The prototype implementation of OverHAuL offers a compelling demonstration of its potential to automate the fuzzing process for open-source libraries, providing tangible benefits to developers and maintainers alike. This initial version successfully validates the core design principles underpinning OverHAuL, showcasing its ability to streamline and enhance the software testing workflow through automated generation of fuzz drivers using large language models. Nevertheless, while these foundational capabilities lay a solid groundwork, numerous avenues exist for further expansion, refinement, and rigorous evaluation to fully realize the tool’s potential and adapt to evolving challenges in software quality assurance.

6.1 Enhancements to Core Features

Enhancing OverHAuL’s core functionality represents a primary direction for future development. First, expanding support to encompass a wider array of build systems commonly employed in C and C++ projects—such as GNU Make, CMake, Meson, and Ninja [1], [2], [3], [4]—would significantly broaden the scope of libraries amenable to automated fuzzing using OverHAuL. This advancement would enable OverHAuL to scale effectively and be applied to larger, more complex codebases, thereby increasing its practical utility and impact.

Second, integrating additional fuzzing engines beyond LibFuzzer stands out as a strategic enhancement. Incorporation of widely adopted fuzzers like AFL++ [5] could diversify the fuzzing strategies available to OverHAuL, while exploring more experimental tools such as GraphFuzz [6] may pioneer specialized approaches for certain code patterns or architectures. Multi-engine support would also facilitate extending language coverage, for instance by incorporating fuzzers tailored to other programming ecosystems—for example, Google’s Atheris for Python projects [7]. Such versatility would position OverHAuL as a more universal fuzzing automation platform.

Third, the evaluation component of OverHAuL presents an opportunity for refinement through more sophisticated analysis techniques. Beyond the current criteria, incorporating dynamic metrics such as differential code coverage tracking between generated fuzz harnesses would yield deeper insights into test quality and coverage completeness. This quantitative evaluation could guide iterative improvements in fuzz driver generation and overall testing effectiveness.

Finally, OverHAuL’s methodology could be extended to leverage existing client codebases and unit tests in addition to the library source code itself, resources that for now OverHAuL leaves untapped. Inspired by approaches like those found in FUDGE and FuzzGen [8], [9], this enhancement would enable the tool to exploit programmer-written usage scenarios as seeds or contexts, potentially generating more meaningful and targeted fuzz inputs. Incorporating these richer information sources would likely improve the efficacy of fuzzing campaigns and uncover subtler bugs.

6.2 Experimentation with Large Language Models and Data Representation

OverHAuL’s reliance on large language models (LLMs) invites comprehensive experimentation with different providers and architectures to assess their comparative strengths and limitations. Conducting empirical evaluations across leading models—such as OpenAI’s o1 and o3 families and Anthropic’s Claude Opus 4—will provide valuable insights into their capabilities, cost-efficiency, and suitability for fuzz driver synthesis. Additionally, specialized code-focused LLMs, including generative and fill-in models like Codex-1 and CodeGen [10], [11], [12], merit exploration due to their targeted optimization for source code generation and understanding.

Another dimension worthy of investigation concerns the granularity of code chunking employed during the given project’s code processing stage. Whereas the current approach partitions code at the function level, experimenting with more nuanced segmentation strategies—such as splitting per step inside a function, as a finer-grained technique—could improve the semantic coherence of stored representations and enhance retrieval relevance during fuzz driver generation. This line of inquiry has the potential to optimize model input preparation and ultimately improve output quality.

6.3 Comprehensive Evaluation and Benchmarking

To thoroughly establish OverHAuL’s effectiveness, extensive large-scale evaluation beyond the initial 10-project corpus is imperative. Applying the tool to repositories indexed in the clib package manager [13], which encompasses hundreds of C libraries, would test scalability and robustness across diverse real-world settings. Such a broad benchmark would also enable systematic comparisons against state-of-the-art automated fuzzing frameworks like OSS-Fuzz-Gen and AutoGen, elucidating OverHAuL’s relative strengths and identifying areas for improvement [14], [15].

Complementing broad benchmarking, detailed ablation and matrix studies dissecting the contributions of individual pipeline components and algorithmic choices will yield critical insights into what drives OverHAuL’s performance. Understanding the impact of each module will guide targeted optimizations and support evidence-based design decisions.

Furthermore, an economic analysis exploring resource consumption—such as API token usage and associated monetary costs—relative to fuzzing effectiveness would be valuable for assessing the practical viability of integrating LLM-based fuzz driver generation into continuous integration processes.

6.4 Practical Deployment and Community Engagement

From a usability perspective, embedding OverHAuL within a GitHub Actions workflow represents a practical and impactful enhancement, enabling seamless integration with developers’ existing toolchains and continuous integration pipelines. This would promote wider adoption by reducing barriers to entry and fostering real-time feedback during code development cycles.

Additionally, establishing a mechanism to generate and submit automated pull requests (PRs) to the maintainers of fuzzed libraries—highlighting detected bugs and proposing patches—would not only validate OverHAuL’s findings but also contribute tangible improvements to open-source software quality. This collaborative feedback loop epitomizes the symbiosis between automated testing tools and the open-source community. As an initial step, developing targeted PRs for the projects where bugs were discovered during OverHAuL’s development would help facilitate practical follow-up and improvements.

[1]

A. Cedilnik, B. Hoffman, B. King, K. Martin, and A. Neundorf, “CMake - Upgrade Your Software Build System.” 2000. Available: https://cmake.org/

[2]

S. I. Feldman, “Make — a program for maintaining computer programs,” Software: Practice and Experience, vol. 9, no. 4, pp. 255–265, 1979, doi: 10.1002/spe.4380090402. Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/spe.4380090402

[3]

E. Martin, “Ninja-build/ninja.” ninja-build, Jul. 14, 2025. Available: https://github.com/ninja-build/ninja

[4]

J. Pakkanen, “Mesonbuild/meson.” The Meson Build System, Jul. 14, 2025. Available: https://github.com/mesonbuild/meson

[5]

M. Heuse, H. Eißfeldt, A. Fioraldi, and D. Maier, “AFL++.” Jan. 2022. Available: https://github.com/AFLplusplus/AFLplusplus

[6]

H. Green and T. Avgerinos, “GraphFuzz: Library API fuzzing with lifetime-aware dataflow graphs,” in Proceedings of the 44th International Conference on Software Engineering, Pittsburgh Pennsylvania: ACM, May 2022, pp. 1070–1081. doi: 10.1145/3510003.3510228. Available: https://dl.acm.org/doi/10.1145/3510003.3510228

[7]

Google, “Google/atheris.” Google, Apr. 09, 2025. Available: https://github.com/google/atheris

[8]

K. Ispoglou, D. Austin, V. Mohan, and M. Payer, “FuzzGen: Automatic fuzzer generation,” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 2271–2287. Available: https://www.usenix.org/conference/usenixsecurity20/presentation/ispoglou

[9]

D. Babić et al., “FUDGE: Fuzz driver generation at scale,” in Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Tallinn Estonia: ACM, Aug. 2019, pp. 975–985. doi: 10.1145/3338906.3340456. Available: https://dl.acm.org/doi/10.1145/3338906.3340456

[10]

E. Nijkamp et al., “CodeGen: An open large language model for code with multi-turn program synthesis,” ICLR, 2023.

[11]

E. Nijkamp, H. Hayashi, C. Xiong, S. Savarese, and Y. Zhou, “CodeGen2: Lessons for training llms on programming and natural languages,” ICLR, 2023.

[12]

OpenAI, “Introducing GPT-4.1 in the API,” Apr. 14, 2025. Available: https://openai.com/index/gpt-4-1/

[13]

Clibs Project, “Clib Packages,” 2025. Available: https://github.com/clibs/clib/wiki/Packages

[14]

D. Liu, O. Chang, J. metzman, M. Sablotny, and M. Maruseac, “OSS-fuzz-gen: Automated fuzz target generation.” May 2024. Available: https://github.com/google/oss-fuzz-gen

[15]

Y. Sun, “Automated Generation and Compilation of Fuzz Driver Based on Large Language Models,” in Proceedings of the 2024 9th International Conference on Cyber Security and Information Engineering, in ICCSIE ’24. New York, NY, USA: Association for Computing Machinery, Dec. 2024, pp. 461–468. doi: 10.1145/3689236.3689272. Available: https://doi.org/10.1145/3689236.3689272