We're building runtime security you deploy on your Linux servers to protect the resources your workloads depend on, such as GPUs, databases, filesystems, and more.
Funded by Balaji Srinivasan former CTO of Coinbase and founder of the Network School.
Bomfather is a runtime security agent you deploy on your Linux servers to protect the resources your workloads depend on, such as GPUs, databases, and filesystems.
We realized that GPUs are fundamentally insecure and that there wasn't really a good solution for GPU or runtime security.
So we created Bomfather to fix three issues in existing solutions: speed, security, and simplicity.
Bomfather uses eBPF (extended Berkeley Packet Filter) to enforce policies. Unlike traditional protections, which are brittle and blind to kernel events, eBPF enables Bomfather to control what happens at the deepest level (the kernel). eBPF adds 1% to 3% overhead, while Confidential Computing adds anywhere from 10% to 4060% overhead depending on the workload.
There are many runtime security solutions, but most run in the userspace, rendering them vulnerable to tampering by other processes on the machine. The remaining solutions are vulnerable to policy manipulation and can be shut down by malicious actors. Bomfather’s solution is built with eBPF, so we run directly in the kernel and are constantly at the forefront of innovation in GPU and runtime security.
Bomfather is extremely easy to set up. You can write a really small policy file for your whole infrastructure, so you don't have to go through huge policy files trying to figure out what does what (watch our inheritance policy video for more information)! Running Bomfather is also really easy, it's a background process that requires no changes to your infrastructure or programs.
GPUs are critical to machine learning pipelines. Your user data flows through them, expensive proprietary models run on them, and your product hinges on their output.
All of this data on your GPU can be read, tampered with, and exfiltrated by bad actors, there is no in built access control around GPUs. You could use confidential computing (CC), but that adds anywhere from 10% to 4060% overhead depending on your workload. Can you afford to let your proprietary data sit on these GPUs with no protection?
This is where our eBPF protection comes in. With a negligible <2% overhead, It’s a passive process which runs in the background and requires no changes to your workflows.
To set up Bomfather, you write a simple five line policy specifying which programs can access the GPU. Bomfather handles the rest.
We can follow best practices, carefully evaluate dependencies, and write good code. But at some point, there will always be a breach, a zero day, something nobody can stop.
At some point, an attack will compromise your system, steal and manipulate proprietary information and user data. You need a final barrier between your data and attackers.
The Bomfather agent gives you this, a final barrier without any complexity. You write a simple config stating which executables can access your protected resources, start the agent as a background process, and that’s it, complete security without integration hell.