Summarizer

Server-Client Architecture Security

Moving computation server-side as defense since deployed code cannot be analyzed. Game developers note network protocol reverse engineering becoming faster with AI assistance.

← Back to AI is breaking two vulnerability cultures

As traditional software obfuscation becomes increasingly ineffective, developers are treating server-side architecture as the final bastion for protecting proprietary logic from being decompiled and published. However, this "software moat" is under threat from AI-assisted adversaries who can rapidly reverse-engineer network protocols and even build functional server emulators simply by observing request and response patterns. While some experts remain skeptical that remote vulnerabilities can be fully unmasked through I/O analysis alone, others predict a shift toward highly centralized, "black box" cloud frameworks to isolate code execution from potential attackers. Ultimately, the conversation highlights a growing tension between maintaining intellectual property and the reality that AI is dramatically lowering the barrier for cloning even the most guarded backend systems.

13 comments tagged with this topic

View on HN · Topics
> It has been over a decade since any ordinary off-the-shelf closed-source software was meaningfully obscured from serious adversaries. Probably goes without saying but the last line of defense is not deploying your software publicly and instead relying on server-client architectures to do anything. Maybe this will be more common as vulnerabilities are more easily detected and exploited. Of course its not always feasible. It has been annoying seeing my (proguard obfuscated) game client binaries decompiled and published on github many times over the last 11 years. Only the undeployed server code has remained private. Interestingly I didn't have a problem with adversaries reverse engineering my network protocols until I was updating them less frequently than weekly. LLM assisted adversaries could probably keep up with that now too.
View on HN · Topics
>Only the undeployed server code has remained private. How easy to do you this is for LLM to build decent emulator of the server in question by just observing what you send and what you get as response?
View on HN · Topics
Honestly, I can't really imagine how this would work at all? I could see how, given enough data, you'd be able to infer the intended logic of the server and reimplement something that's compatible (I've done this myself with Wireshark + USB devices in the past). But how would could you reason about specific vulnerabilities in remote code just from a set of requests and responses?
View on HN · Topics
not sure why downvoted. server emulators will become faster to make. protocol analysis will become faster as well.
View on HN · Topics
Because while you could get something that drives a dumb interface, by moving the work and data to the server it's not available for the emulation software to use.
View on HN · Topics
If the contract is well defined, the LLM can infer what it's purpose is, implementation, possibly even your secret sauce. There is no software moat anymore.
View on HN · Topics
yes this is what i was trying to say. its quite common on older client-server games to do this sort of thing. powerful ai models will just make the work to recreate/emulate servers faster.
View on HN · Topics
Except that emulating what is seen is surprisingly useful to find attack vectors. As a single deeper datapoint, one can look at more than just baseline behavior and delve into timing details to further refine implementation guesses.
View on HN · Topics
> it'll become common/forced practice to pre-scan code. You'd think. But then you'd think people would do a lot of other things too. I hope, I guess. The other danger is that "the cloud" may become even more overwhelmingly dominant. Which of course has its own large security costs.
View on HN · Topics
We could get somewhere where clouds can provide a framework of secure primitives that act as a framework. E.g. you build an app, it stores data via api etc. etc. You can test in sandbox. The cloud deploys for customer who paid you via that cloud and you work at arms length. You may not even know their name. You just get the pro subscription fees. The idea bubbling in my head would be an app store for cloud products. But with competition i.e. you use Railway or Heroku or AWS for the best deal. Be gentle this is an idea in my head I am sure it can be torn down by a retort at this stage. But this exists in forms and I think it will emerge. It is inversion of control at the entire app level. This is similar to buying a hammer. If you make hammers you sell them to a store, the store knows the customer and only the customer can see the nails.
View on HN · Topics
> This is similar to buying a hammer. No, it's similar to letting someone else do all your hammering because using a hammer is too dangerous. And then, to make the process more efficient, letting them take control of your home to be able to provide hammering services while making sure you can't touch the hammer.
View on HN · Topics
I guess. It is like a writer letting someone else print the books, maybe?
View on HN · Topics
They can be, but the most interesting parts (backend code, deployment confs) are not usually available. Reversing clients can help to understand a bit, but not with equal level.