Effortlessly Protect Your Runtimes
Building the Best Runtime Security from the Kernel
Funded by Balaji Srinivasan former CTO of Coinbase.
What Made Us Start Bomfather
We love writing security tools, but no solution in runtime security met the standards we wanted.
What we saw was:
- -Runtime security was insecure. You could run eBPF security solutions, but all existing ones are vulnerable to policy manipulation and can be shut down by malicious actors. You could try running a kernel module, but if there's even one bug in that kernel module, your kernel crashes. And userspace security solutions can't be trusted, since they don't run in the kernel, rendering them obsolete.
- -Runtime security was hard to use, like really hard. The configs were obscure and pages long. Think about it, how many people actually run a runtime security solution on their servers, and even if they do, how many implement meaningful policies that actually protect their systems? Not many, since whenever workflows change, those page-long configs need to be rewritten (configs that nobody understands, or wants to touch)
We couldn't find any security solutions that solved these problems, so Bomfather was born…
What Makes us Different?
Bomfather is an eBPF security tool that is built for securing GPUs and runtimes.
Features:
- -Uses eBPF (extended Berkeley Packet Filter) to enforce policies. Unlike normal protections which are brittle and blind to what happens in the kernel, eBPF allows Bomfather to control what happens at the deepest level (the kernel).
- -Extremely fast, adding only around a 1% to 3% runtime overhead while confidential computing adds around a 40% runtime overhead…
- -Integration is extraordinarily simple. The Bomfather Agent runs as a passive background process, so you don’t need to rip up your infrastructure to integrate.
- -We utilize an extremely simple, default deny policy. With this you don’t have to go through huge policy files trying to figure out what does what (watch our inheritance policy video for more information)!
Our GPU Protection in Action
Products
GPUs are critical to machine learning pipelines. Your user data flows through them, expensive proprietary models run on them, and your product hinges on their output.
All of this data on your GPU can be read, tampered with, and exfiltrated by bad actors, there is no in built access control around GPUs. You could use confidential computing (CC), but that adds a 40% runtime overhead and needless complexity. Can you afford to let your proprietary data sit on these GPUs with no protection?
This is where our eBPF protection comes in. With a negligible <2% overhead, It’s a passive process which runs in the background and requires no changes to your workflows.
To set up Bomfather, you write a simple five line policy specifying which programs can access the GPU. Bomfather handles the rest.
We can follow best practices, carefully evaluate dependencies, and write good code. But at some point, there will always be a breach, a zero day, something nobody can stop.
At some point, an attack will compromise your system, steal and manipulate proprietary information and user data. You need a final barrier between your data and attackers.
The Bomfather agent gives you this, a final barrier without any complexity. You write a simple config stating which executables can access your protected resources, start the agent as a background process, and that’s it, complete security without integration hell.