Jump to pattern

Forgetting Eventually, But Not Soon Enough

Why time-limited memory still provides injection persistence windows

The Conventional Framing

Sliding window memory retains only the most recent N turns of conversation, dropping older messages as new ones arrive. This bounds memory size while maintaining recent context.

The pattern balances context retention with resource limits and manages conversation length naturally.

Why Windows Still Have Persistence

A sliding window limits how long injections persist—but they still persist for the window duration. If your window is 20 turns, an injection from turn 1 influences turns 2-20.

The window size is a persistence guarantee for attackers. They know how long their injection will remain active.

The burst attack:

An attacker who injects once has N turns of influence. An attacker who injects repeatedly keeps their injection in the window indefinitely. The window only helps if the attacker stops injecting.

Architecture

Components:

Window size— N most recent turns retained
Turn tracking— ordering and counting turns
Eviction— dropping oldest when window full
Context construction— window content in each call

Trust Boundaries

Window size: 10 turns Turn 1: Injection planted Turn 2-10: Injection in every call Turn 11: Turn 1 evicted, but injection was in Turn 1... New attack: Re-inject every 9 turns Turn 1: Inject Turn 9: Re-inject Turn 18: Re-inject ... Injection persists indefinitely with periodic refresh.

Injection → Window — injection enters and persists
Window → Model — window content processed each turn
Window → Eviction — injection eventually drops... maybe

Threat Surface

Threat	Vector	Impact
Window-length persistence	Single injection active for N turns	Guaranteed persistence period for attacker
Refresh attacks	Periodically re-inject to stay in window	Indefinite persistence with maintenance
Window stuffing	Fill window with injection-heavy content	Injection dominates recent context
Eviction timing exploitation	Time attacks to window boundaries	Maximize injection effectiveness window

The ZIVIS Position

•
Windows limit but don't prevent persistence.Sliding window bounds persistence but doesn't eliminate it. Attackers have a known working timeframe.
•
Window size is a security parameter.Smaller windows mean shorter injection persistence but less context. This is a security-utility trade-off.
•
Detect refresh patterns.Repeated injection to stay in window is a detectable pattern. Monitor for it.
•
Consider per-turn validation.Even with windows, validate content. Don't rely solely on eviction for security.

What We Tell Clients

Sliding window memory limits injection persistence but doesn't prevent it. An injection persists for the window duration, and attackers can maintain presence by re-injecting.

Treat window size as a security parameter. Smaller windows reduce risk but also context. Combine with per-turn validation rather than relying on eviction alone.

Related Patterns

Conversation Buffer— unlimited retention alternative
Conversation Summary— summarization instead of truncation