Changelog

New features and improvements to Bomfather

Anomaly Detection

We have finished the first version of our anomaly detection! Bomfather now learns what files an executable normally accesses, and alerts you when it does something unexpected. ​

Our anomaly detection logic works in two parts. First, there is a 7 day learning period, during which Bomfather observes which executables access files and creates an allow list. During this period, there aren’t any alerts. After the learning period, if an executable accesses a file not on the allow list, it is flagged as an anomaly. ​

While we would like to perform anomaly detection on every executable, that isn’t viable. If we were to do so, we would just get a lot of noise since build tools, package managers, and compilers access thousands of unique files. ​

Noisy executable detection is achieved by using heuristics. We don’t use any type of AI for this, so we can maintain consistency and get predictable results about which executables are considered noisy.

Kernel Support for 5.18 and 6.18

Bomfather supports kernels 5.18 to 6.18. 6.18 is the latest stable kernel. We’ll add LTS support as new versions drop.

Support for Kubernetes and Bare Metal

Bomfather now supports both Kubernetes and non Kubernetes workloads. We decided to build it so that you can use it in both environments while maintaining an extemely simple configuration.

In the example below, we have policies for the “host” (when the container path is empty) and for an nginx container in the dev namespace.

container_policies:
  - container_path: "" # HOST (container_path empty) 
    executables:
      - path: "example/accessor/accessor"
        access_gpu: true
        directories:
          - path: "example/protected/protected1"
            permission: "read"

  - container_path: "dev:web:nginx:" # Kubernetes format, namespace:pod:container
    executables:
      - path: "/usr/sbin/nginx"
        directories:
          - path: "/var/cache"
            permission: "write"

One of the important differentiations we wanted to bring was a straightforward configuration that allows mixing and matching within a single file.

Our container path supports wildcards as well, to make configuration easier.

eBPF Map Hardening

We have added some major security improvements to protect Bomfather’s eBPF programs from tampering and manipulation attacks.

Security Enhancements:

  • Protected eBPF maps from unauthorized access so that eBPF maps can’t even be tampered with by a root user
  • Secured communication channels between userspace and kernel

These hardening measures address vulnerabilities we discovered in existing eBPF security solutions, where attackers could manipulate policy maps to bypass security controls.

If you want a bit more technical information, take a look at our blog post →

Policy Inheritance System

We have simplified policy management considerably with our new inheritance system. No more page long configuration files!

New Policy Features:

  • Default deny security model
  • Hierarchical policy inheritance
  • Simple 5 line base configurations
  • Automatic policy propagation to child processes

Our inheritance model means you define what’s allowed once, and Bomfather handles the rest. When workflows change, you don’t need to rewrite entire configuration files.

If you want a bit more technical information, take a look at our video →