# Binary Fingerprinting (TLSH + Instruction Hashing)

## Module
Attestor

## Status
IMPLEMENTED

## Description
Binary fingerprinting infrastructure with two methods: Simplified TLSH (locality-sensitive hashing) and Instruction Hash (normalized instruction sequence hashing). Both are proof-of-concept implementations noted as needing production-grade library integration. BinaryFingerprintEvidenceGenerator creates attestable proof segments from binary vulnerability findings.

## Implementation Details
- **Evidence Generator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- attestation layer for binary fingerprint evidence. Creates `BinaryFingerprintEvidencePredicate` payloads from fingerprint analysis results.
- **Fingerprint Evidence Predicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryFingerprintEvidencePredicate.cs` -- wraps fingerprint data (TLSH hash, instruction hash) as attestable predicate.
- **Binary Identity**: `BinaryIdentityInfo.cs` -- captures binary metadata (path, SHA-256 hash, format, architecture).
- **Micro-Witness Integration**: `MicroWitnessBinaryRef.cs` -- references specific binary in micro-witness evidence. `MicroWitnessFunctionEvidence.cs` -- function-level fingerprint evidence.
- **Note**: The actual TLSH and instruction hashing algorithms live in `src/BinaryIndex/` (the binary analysis module). The Attestor module provides the attestation wrapper and proof-chain integration.
- **Content Addressing**: Fingerprint evidence is stored with content-addressed IDs via `ContentAddressedIdGenerator`.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`

## E2E Test Plan
- [ ] Generate a `BinaryFingerprintEvidencePredicate` from TLSH hash results and verify the predicate contains the locality-sensitive hash
- [ ] Generate a predicate from instruction hash results and verify the normalized instruction sequence hash is captured
- [ ] Verify `BinaryIdentityInfo` correctly captures binary format (ELF/PE/Mach-O) and architecture
- [ ] Create micro-witness evidence linking a fingerprint to a specific function via `MicroWitnessFunctionEvidence` and verify the reference chain
- [ ] Verify content-addressed IDs are generated deterministically for identical fingerprint evidence
- [ ] Wrap fingerprint evidence in a DSSE-signed attestation and verify the signed envelope contains the correct predicate type
- [ ] Generate fingerprint evidence for two versions of the same binary and verify the TLSH hashes differ but remain within expected similarity range