ECM Protocol
SECURITY & COMPLIANCE 12 MIN READ 2026.03.03

> Protocol-Level Attack Prevention

Techniques for preventing common protocol-level attacks against ECM Protocol implementations.

Protocol-Level Attack Prevention

Attack Surface Analysis

ECM Protocol implementations face various attack vectors. This guide covers prevention techniques for common protocol-level attacks.

Injection Attacks

Query Injection Prevention

// Vulnerable: String interpolation
const query = \`SELECT * FROM contexts WHERE id = '\${userInput}'\`;

// Secure: Parameterized queries
const query = {
  text: 'SELECT * FROM contexts WHERE id = $1',
  values: [userInput]
};

// Secure: Query builder validation
class SafeQueryBuilder {
  filter(field: string, op: string, value: any): this {
    // Validate field name against schema
    if (!this.schema.hasField(field)) {
      throw new ValidationError(\`Invalid field: \${field}\`);
    }
    // Validate operator
    if (!ALLOWED_OPERATORS.includes(op)) {
      throw new ValidationError(\`Invalid operator: \${op}\`);
    }
    // Escape value based on type
    const escapedValue = this.escape(value, this.schema.getType(field));
    this.filters.push({ field, op, value: escapedValue });
    return this;
  }
}

Denial of Service

Rate Limiting

const rateLimiter = new RateLimiter({
  // Per-client limits
  perClient: {
    requestsPerSecond: 100,
    burstCapacity: 200
  },
  // Per-operation limits
  perOperation: {
    'context.query': { rps: 50 },
    'context.put': { rps: 20 }
  },
  // Global limits
  global: {
    requestsPerSecond: 10000
  }
});

Query Complexity Limits

class QueryValidator {
  validate(query: ECMQuery): void {
    // Limit filter depth
    if (this.getFilterDepth(query.filter) > 5) {
      throw new ValidationError('Filter too deeply nested');
    }
    
    // Limit result size
    if (query.limit > 1000) {
      throw new ValidationError('Limit exceeds maximum');
    }
    
    // Limit projection size
    if (query.projection?.length > 50) {
      throw new ValidationError('Too many projected fields');
    }
  }
}

Man-in-the-Middle Prevention

Certificate Pinning

const client = new ECMClient({
  endpoint: 'https://ecm.example.com',
  tls: {
    pinning: {
      type: 'public_key',
      pins: [
        'sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
        'sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB='
      ]
    }
  }
});

Replay Attack Prevention

Request Signing

// Sign requests with timestamp
function signRequest(request: ECMRequest, privateKey: CryptoKey): SignedRequest {
  const timestamp = Date.now();
  const nonce = crypto.randomUUID();
  
  const payload = JSON.stringify({
    ...request,
    timestamp,
    nonce
  });
  
  const signature = crypto.sign('RSA-SHA256', payload, privateKey);
  
  return {
    payload,
    signature: signature.toString('base64'),
    timestamp,
    nonce
  };
}

// Server validation
function validateRequest(signed: SignedRequest): boolean {
  // Check timestamp freshness
  if (Math.abs(Date.now() - signed.timestamp) > 300000) {
    throw new SecurityError('Request expired');
  }
  
  // Check nonce hasn't been used
  if (await nonceCache.has(signed.nonce)) {
    throw new SecurityError('Replay detected');
  }
  
  // Verify signature
  return crypto.verify(signed.payload, signed.signature, publicKey);
}

Conclusion

Protocol-level attacks can compromise context security. Implement injection prevention, rate limiting, certificate pinning, and replay protection for comprehensive defense.

//TAGS

ATTACKS PREVENTION SECURITY PROTOCOL

//RELATED_DOCUMENTS

ECM Protocol Security Specification

ECM Protocol Security Specification

14 MIN
Implementing Zero-Trust Context Access

Implementing Zero-Trust Context Access

12 MIN
Context Encryption Key Management

Context Encryption Key Management

13 MIN
BACK_TO_SECURITY & COMPLIANCE