PolicySmith Framework for Automated Policy Synthesis

• PolicySmith Framework is an automated system for synthesizing and refining optimal policies using LLM-driven candidate generation and formal verification.
• It employs a modular design with components like templates, generators, checkers, evaluators, heuristic databases, and search controllers to ensure precise policy deployment.
• The framework improves performance by generating instance-optimal heuristics that reduce manual intervention while maintaining correctness across diverse domains such as caching and security.

The PolicySmith framework is an automated approach to policy synthesis and refinement for complex systems, leveraging LLMs for code generation and formal compilation pipelines for precise enforcement. The framework encompasses methods for generating instance-optimal heuristics in domains such as systems controllers and security policy deployment, integrating structured templates, LLM-driven candidate generation, formal checking, and device-specific translation. PolicySmith is designed to replace manual, heuristic-based policy design and to guarantee correctness and contextual adaptability in deployment environments (Dwivedula et al., 9 Oct 2025, 0905.1362).

1. System Architecture and Components

PolicySmith partitions policy design into two principal phases: a minimal human-authored specification and a fully automated search or refinement loop. The former consists of a partial code template and formal constraints, while the latter executes a closed feedback loop.

Core components:

• Template: User-generated partial code or policy stub, annotated with strict constraints (e.g., permitted imports, forbidden operations, computational requirements), and an interface signature tailored to the target deployment (e.g., cache replacement hook, congestion callback, network access control).
• Generator: An LLM (e.g., GPT-4o-mini) that synthesizes candidate policies or heuristic functions, incorporating a prompt constructed from the template and carefully chosen in-context examples.
• Checker: A fast syntactic and semantic verifier—such as a language compiler for application code or the Linux eBPF verifier for kernel extensions—that enforces compliance with constraints and provides actionable error feedback to the generator.
• Evaluator: An execution harness that benchmarks each candidate heuristic or rule in realistic or emulated environments, returning a scalar reward (e.g., cache miss ratio, bandwidth utilization).
• Heuristic Database: A persistent archive of generated candidates and their empirical scores, supporting top-k sampling for subsequent rounds.
• Search Controller: Orchestrates generation, checking, evaluation, and in-context updating, iterating until convergence or a user-defined stopping criterion is met.

This modular arrangement enables generalization across domains, supporting both programmatic policy generation (code fragments) and formal policy refinement (security rules).

2. Algorithmic Workflow and Policy Synthesis

The central goal is to find, for a context $x$, the policy $h^*$ maximizing reward:

$h^*(x) = \arg\max_{h \in \mathcal{H}} R(x, h)$

where $\mathcal{H}$ is the discrete policy search space encoded by the template. The workflow is formalized as follows:

1. Seeding: Begin with a small set of expert- or baseline-derived example policies.
2. Prompt Construction: Assemble a generation prompt containing the interface signature, all constraints, and the current top-k examples from the heuristic database.
3. LLM Candidate Generation: For each iteration and sample:
   • Use the generator to suggest a candidate;
   • If the checker reports an error, feed the specific diagnostic back to the LLM as context for one retry;
   • Discard irreparably invalid samples.
4. Evaluation: Score each accepted candidate using the evaluator on an appropriate workload or input trace.
5. In-context Learning: Update the pool of in-context examples by selecting the top-k candidates by evaluator score, replacing or augmenting the original seed set.
6. Termination: Repeat until convergence or a fixed number of rounds; output the highest-scoring instance.

All in-context adaptation is achieved without explicit model parameter fine-tuning, relying exclusively on prompt engineering and structured interactive feedback.

3. Heuristic and Policy Representation

PolicySmith’s expressiveness is grounded in its tight coupling between representation and target domain. All generated policies are single-function, side-effect-free fragments constrained by exposed feature sets and interface restrictions.

Caching example: The priority() function in C++ takes object metadata (access counts, last access time, size), global percentiles, and evicted item histories, and outputs an integer score. The template enforces forbidden full cache scans, non-use of floating-point arithmetic, and specific complexity bounds (e.g., $O(\log N)$).

Congestion control example: The generated code is a logic fragment for kernel-level congestion adjustment, invoked via eBPF, with inputs as time-series of congestion window values, RTT, and inflight packet counts. The checker strictly enforces kernel safety: no floating point, bounded loops, safe memory operations.

These representations are determined by the minimal templates and explicit constraints given by the user, ensuring interpretability and enforceability.

4. Application Domains and Performance Evaluation

Web Caching

• Simulator: libCacheSim
• Datasets: CloudPhysics (105 traces), MSR (14 traces)
• Baseline heuristics: LRU, LFU, GDSF, LIRS, and 10 others
• Experiment: Per-trace search with $T=20$ rounds, $m=25$ samples per round ($500$ candidates per context)
• Metric: Miss ratio over FIFO baseline

Results:

Dataset	Heuristic	% of traces outperforming all baselines
CloudPhysics	A	48%
	B	42%
	C	14%
	D	31%
MSR	W	57%
	X	64%
	Y	57%
	Z	21%

A box-and-whisker summary demonstrated that the best PolicySmith-generated heuristic (PS-Oracle) achieves ≈2% higher miss reduction compared to the best of all hand-crafted baselines (B-Oracle) (Dwivedula et al., 9 Oct 2025).

Representative output (verbatim code fragment):

score = obj_info.count*20 age = now - obj_info.last_accessed; score -= age/300 score -= obj_info.size/500 if history.contains(obj_id): h=history.get_metadata(obj_id) score += h->count*15 + h->age_at_eviction_time/150 else score -=40 recent = ages.percentile(0.75); if last_accessed<recent score -=30 return score

The total computational cost for eight traces was approximately 5.5 CPU-hours, 800,000 input tokens, 300,000 output tokens, and \$7 in LLM inference fees.

Congestion Control

• Integration: eBPF attacher; kernel function probe for cong_control
• Compiler: Linux eBPF verifier for memory and safety constraints
• Emulation: Network with 12 Mbps link, 20 ms one-way delay (Mahimahi)

Results:

• Success rate: 63% compile on the first try; an additional 19% after structured feedback
• Behavioral span:
  • Bandwidth utilization: 23–98%
  • Queuing delay: 2–40 ms

This demonstrates both the feasibility of LLM-driven kernel-space synthesis and exploration of diverse operating regimes, beyond existing fixed strategies.

5. Refinement for Security Policy Deployment

The PolicySmith framework’s principles generalize to formal policy synthesis in security contexts. Here, access-control policies are encoded in the OrBAC model, and refined deterministically into device-specific configurations (0905.1362).

Methodology:

1. Formal Specification: Encode requirements as tuples (subject, action, object, context).
2. Anomaly–Consistency Checking: Identify and eliminate rule shadowing, conflicts, and redundancies in the abstract policy ($P_{\text{abstract}}$), guaranteeing a shadow-free and non-redundant rule set via formal lemmas:

Rule shadowing: A permission $p$ is shadowed by $q$ if $\text{Dom}(p) \subseteq \text{Dom}(q)$ and both lead to the same decision.

1. Multi-target Compilation: Translate abstract permissions into ordered, device-agnostic rules using role/activity/view hierarchies and network topology, with careful selection of devices based on context (firewall, VPN, IDS).
2. Device-specific Translation: Use an XSLT-like transformation library to yield iptables, Cisco PIX, Netasq, or Snort rules, matching target devices’ semantics (first/last matching, alert actions).
3. Correctness Guarantees: The process is proven to maintain semantic equivalence between the intended abstract policy and the distributed, concrete device rules:

$$\forall\,s \in S,\, a \in A,\, o \in O:\quad \varphi_{\text{abstract}}(s,a,o) = \top \iff \varphi_{\text{devices}}(s,a,o) = \top$$

1. Workflow: Collection of requirements, encoding, validation, dual-phase compilation, deployment via APIs or scripts, and monitoring of live security alerts and policy adherence.

6. Discussion and Future Trajectories

PolicySmith enables:

• Per-instance specialization versus universal policies, with possible triggers for automated re-synthesis under context drift (e.g., workload adaptation, guardrail monitoring).
• End-to-end system policy synthesis, coordinating across multiple subsystems (cache, RPC, congestion, scheduling).
• Opportunities for integrating policy synthesis with fuzzing, formal verification, or online learning to bridge simulation–reality gaps.
• Control over interpretability–expressiveness tradeoffs, using prompt engineering to bias toward simpler or more transparent policies when warranted.
• Developer tooling, including advanced prompting, debugging of generated policies, and guided insertion of expert hints.
• Extensions to further domains: kernel I/O schedulers, network packet classifiers, distributed protocol logic, and more.

A plausible implication is that LLM-guided policy synthesis could become a general methodology for building, refining, and deploying safe, high-performing instance-optimal controllers and enforcement policies throughout systems software and network security.

7. Related Frameworks and Comparative Context

The PolicySmith approach departs fundamentally from traditional manually tuned heuristics and ad hoc policy writing. Its policy refinement architecture for security deployment echoes established models of multi-phase compilation and verification, with formal mapping from high-level requirements to concrete device rules and provable guarantees of semantic preservation (0905.1362). Unlike static controller synthesis, PolicySmith utilizes active search, structured error-driven adaptation, and performance-grounded selection criteria, thereby exploring a wide combinatorial space of possible implementations without loss of correctness or safety constraints.