Effortlessly Protect Your Runtimes
Building security from the kernel
Funded by Balaji Srinivasan former CTO of Coinbase.
What is Bomfather?
Bomfather is a runtime security agent you deploy on your Linux servers to protect the resources your workloads depend on, such as GPUs, databases, filesystems, and more.
What Makes us Different?
Features:
- -Uses eBPF (extended Berkeley Packet Filter) to enforce policies. Unlike traditional protections, which are brittle and blind to kernel events, eBPF enables Bomfather to control what happens at the deepest level (the kernel). eBPF adds 1% to 3% overhead, while Confidential Computing adds anywhere from 10% to 4060% overhead depending on the workload.
- -Bomfather is extremely easy to set up. You can write a really small policy file for your whole infrastructure, so you don't have to go through huge policy files trying to figure out what does what (watch our inheritance policy video for more information)! Running Bomfather is also really easy, it's a background process that requires no changes to your infrastructure or programs.
- -While blocking malicious activity with a security policy is important, making informed decisions based on metrics is essential, as it allows you to take security into your own hands. That is why we create heuristics for different types of information, from file opens to violations, so you get the information without being bombarded with notifications.
Our GPU Protection in Action
Products
GPUs are critical to machine learning pipelines. Your user data flows through them, expensive proprietary models run on them, and your product hinges on their output.
All of this data on your GPU can be read, tampered with, and exfiltrated by bad actors, there is no in built access control around GPUs. You could use confidential computing (CC), but that adds anywhere from 10% to 4060% overhead depending on your workload. Can you afford to let your proprietary data sit on these GPUs with no protection?
This is where our eBPF protection comes in. With a negligible <2% overhead, It’s a passive process which runs in the background and requires no changes to your workflows.
To set up Bomfather, you write a simple five line policy specifying which programs can access the GPU. Bomfather handles the rest.
We can follow best practices, carefully evaluate dependencies, and write good code. But at some point, there will always be a breach, a zero day, something nobody can stop.
At some point, an attack will compromise your system, steal and manipulate proprietary information and user data. You need a final barrier between your data and attackers.
The Bomfather agent gives you this, a final barrier without any complexity. You write a simple config stating which executables can access your protected resources, start the agent as a background process, and that’s it, complete security without integration hell.