Changelog

Software supply chain security helps us patch known vulnerabilities, but patches can be delayed or vulnerabilities can be missed. That leaves room for data exfiltration.

Bomfather already protects against ransomware style encryption and malicious script injection. Now we also protect against secret theft with IP Protection.

IP Protection enforces network access at the executable level:

• Limit which IPs/DNS names an executable can connect to
• Limit which executables can connect to a specific IP/DNS destination

Unlike a traditional firewall that applies host-level policy, this applies per executable.

We’ve launched our documentation site at docs.bomfather.dev! It covers everything you need to get started with Bomfather and make the most of its features. ​

The docs include guides on installation, configuration, policy setup, and more. Whether you’re deploying on Kubernetes or bare metal, the docs walk you through the entire process step by step. ​

We want the docs to be a living resource, so as we ship new features, the documentation will be updated alongside them. If something is missing or unclear, feel free to reach out and let us know.

We have finished the first version of our anomaly detection! Bomfather now learns what files an executable normally accesses, and alerts you when it does something unexpected. ​

Our anomaly detection logic works in two parts. First, there is a 7 day learning period, during which Bomfather observes which executables access files and creates an allow list. During this period, there aren’t any alerts. After the learning period, if an executable accesses a file not on the allow list, it is flagged as an anomaly. ​

While we would like to perform anomaly detection on every executable, that isn’t viable. If we were to do so, we would just get a lot of noise since build tools, package managers, and compilers access thousands of unique files. ​

Noisy executable detection is achieved by using heuristics. We don’t use any type of AI for this, so we can maintain consistency and get predictable results about which executables are considered noisy.

Bomfather supports kernels 5.18 to 6.18. 6.18 is the latest stable kernel. We’ll add LTS support as new versions drop.

Bomfather now supports both Kubernetes and non Kubernetes workloads. We decided to build it so that you can use it in both environments while maintaining an extemely simple configuration.

In the example below, we have policies for the “host” (when the container path is empty) and for an nginx container in the dev namespace.

container_policies:
  - container_path: "" # HOST (container_path empty) 
    executables:
      - path: "example/accessor/accessor"
        access_gpu: true
        directories:
          - path: "example/protected/protected1"
            permission: "read"

  - container_path: "dev:web:nginx:" # Kubernetes format, namespace:pod:container
    executables:
      - path: "/usr/sbin/nginx"
        directories:
          - path: "/var/cache"
            permission: "write" 

One of the important differentiations we wanted to bring was a straightforward configuration that allows mixing and matching within a single file.

Our container path supports wildcards as well, to make configuration easier.

We have added some major security improvements to protect Bomfather’s eBPF programs from tampering and manipulation attacks.

Security Enhancements:

• Protected eBPF maps from unauthorized access so that eBPF maps can’t even be tampered with by a root user
• Secured communication channels between userspace and kernel

These hardening measures address vulnerabilities we discovered in existing eBPF security solutions, where attackers could manipulate policy maps to bypass security controls.

We have simplified policy management considerably with our new inheritance system. No more page long configuration files!

New Policy Features:

• Default deny security model
• Hierarchical policy inheritance
• Simple 5 line base configurations
• Automatic policy propagation to child processes

Our inheritance model means you define what’s allowed once, and Bomfather handles the rest. When workflows change, you don’t need to rewrite entire configuration files.