We can follow best practices, carefully evaluate dependencies, and write good code. But at some point, there will always be a breach, a zero day, something nobody can stop.
The Bomfather agent gives you this, a final barrier without any complexity. You write a simple config stating which executables can access your protected resources, start the agent as a background process, and that's it, complete security without integration hell.
If a malicous actor gets access to your machine, how do you make sure that they or a malicious binary can't read sensitive data on a file? Bomfather solves this issue by making sure that only specific executables have access to certain files. The Bomfather agent even stops binaries with elevated permissions from accessing the file.
Traditional firewalls enforce rules at the host or container boundary, while Bomfather ties network rules to the executable.
This makes sure that only the processes you trust can reach sensitive destinations like your KMS or signing API. Bomfather protects destinations so only mapped executables can reach them and blocks all access to destinations that aren't explicitly stated. Together, these prevent data exfiltration and keep egress to a minimum.
For example, if you pull in a dependency that has a vulnerability, how can you make sure that a malicious actor can't steal your secrets? To steal your secrets, the malicious actor needs to be able to extract them to somewhere they can read your secrets (an external IP), so if you restrict which IPs any executable on your machine can access, the malicious process can't exfiltrate the secrets.
Malicious actors can use linker tricks like LD_PRELOAD and other LD_* type attacks to manipulate a tool while it is running to intercept sensitive file operations. Bomfather stops malicious actors from using these tools to tamper with your runtime.
If a malicious actor ptraces your programs while they are running, it could potentially exfiltrate data, so Bomfather stops malicious actors from ptraceing your running programs.
Writing policies extremely hard since they can get very complex. So, Bomfather has policy inheritance, if you define what binary can access an executable, then all child processes automatically inherit the same permissions. No need to list every training script or subprocess.
Having a security agent is great, but what happens if someone shuts it down? To stop this, the Bomfather agent stops anyone from trying to shut it down (even if they have elevated privileges). The only way to shut the agent down is to pass in a private key that matches a public key in the policy.
A huge attack vector for eBPF security is modifying the eBPF maps, so we make sure that our maps are secure (Take a look at our blog post about securing eBPF maps). We are the first and only eBPF solution to do this natively.