# Binary Diff with Deterministic Signatures

## Module
Attestor

## Status
VERIFIED

## Description
Binary diff analysis with DSSE-signed evidence output is implemented. The system compares binaries, produces deterministic diff signatures, serializes predicates, and integrates with VEX evidence linking. While the advisory specifically mentions B2R2 IR lifting, the implemented approach uses binary section-level diffing with DSSE attestation.

## Implementation Details
- **BinaryDiff Predicate System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/` -- full predicate lifecycle:
  - `BinaryDiffPredicateBuilder.cs` (with `.Build`) -- constructs predicates from diff findings
  - `BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- deterministic serialization via normalization
  - `BinaryDiffDsseSigner.cs` -- DSSE envelope signing for deterministic signatures
  - `BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- signature verification
  - `BinaryDiffSectionModels.cs` -- section-level diff models for ELF/PE binaries
- **Evidence Integration**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers` partial) -- generates fingerprint evidence from binary analysis.
- **Binary Identity**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs` -- binary identity model. `BinaryVulnMatchInfo.cs` -- vulnerability match details.
- **Binary Fingerprint Predicate**: `BinaryFingerprintEvidencePredicate.cs` -- predicate for fingerprint evidence.
- **VEX Integration**: `VexProofIntegrator.cs` links binary diff evidence to VEX decisions.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- builder, serializer, signer, schema validation tests

## E2E Test Plan
- [ ] Perform a binary diff between two versions of a binary and produce a `BinaryDiffPredicateBuilder` output with section-level changes
- [ ] Serialize the diff predicate via `BinaryDiffPredicateSerializer.Normalize` and verify byte-for-byte determinism across two invocations
- [ ] Sign the normalized predicate via `BinaryDiffDsseSigner` and verify the DSSE envelope signature is valid
- [ ] Verify the signed diff evidence via `BinaryDiffDsseVerifier` and confirm integrity
- [ ] Generate binary fingerprint evidence via `BinaryFingerprintEvidenceGenerator` from a binary with known vulnerability matches and verify `BinaryVulnMatchInfo` is populated
- [ ] Link binary diff evidence to a VEX decision via `VexProofIntegrator` and verify the proof chain includes the diff artifact
- [ ] Create diff findings for both ELF and PE section types and verify `BinaryDiffSectionModels` handles both formats

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |