# Patch Oracle (Binary Diff for CVE Function Identification)

## Module
Attestor

## Status
IMPLEMENTED

## Description
Patch verification orchestration with patch signature storage and binary diff predicate building is implemented, enabling CVE function identification through patch comparison.

## Implementation Details
- **Binary Diff Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build`) -- builds binary diff predicates comparing patched vs unpatched binaries to identify CVE-affected functions. Implements `IBinaryDiffPredicateBuilder.cs`.
- **Binary Diff Predicate Serializer**: `BinaryDiff/BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- serializes binary diff predicates with deterministic normalization. Implements `IBinaryDiffPredicateSerializer.cs`.
- **Binary Diff Finding**: `BinaryDiff/BinaryDiffFinding.cs` -- individual diff finding (function added/removed/changed, offset, size).
- **Binary Diff Section Models**: `BinaryDiff/BinaryDiffSectionModels.cs` -- section-level diff models (text, data, rodata sections).
- **Binary Diff Metadata Builder**: `BinaryDiff/BinaryDiffMetadataBuilder.cs` -- builds metadata for binary diff comparisons (tool version, binary architecture, compiler info).
- **Binary Diff Schema**: `BinaryDiff/BinaryDiffSchema.SchemaJson.cs` -- embedded JSON schema for binary diff predicates.
- **Binary Diff Schema Validation**: `BinaryDiff/BinaryDiffSchemaValidationResult.cs` -- validation result model.
- **Binary Diff DSSE Verifier**: `BinaryDiff/BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- verifies DSSE-signed binary diff attestations. Implements `IBinaryDiffDsseVerifier.cs`.
- **Backport Tier 3 Signature**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Tier3Signature.cs` -- uses binary diff/HunkSig for backport detection.
- **Binary Fingerprint Evidence**: `Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- generates fingerprint evidence for binary comparison.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiffTests.cs`

## E2E Test Plan
- [ ] Build a binary diff predicate via `BinaryDiffPredicateBuilder` comparing a patched and unpatched binary; verify the diff identifies changed functions
- [ ] Verify `BinaryDiffFinding` entries capture function name, offset, and change type (added/removed/modified)
- [ ] Serialize a binary diff predicate via `BinaryDiffPredicateSerializer` and verify deterministic output (same diff = same bytes)
- [ ] Validate a binary diff predicate against `BinaryDiffSchema` and verify schema compliance
- [ ] Sign a binary diff predicate into a DSSE envelope and verify it via `BinaryDiffDsseVerifier`
- [ ] Build metadata via `BinaryDiffMetadataBuilder` and verify tool version, architecture, and compiler info are captured
- [ ] Tamper with a signed binary diff attestation and verify `BinaryDiffDsseVerifier` rejects it
- [ ] Verify `BinaryDiffSectionModels` captures diffs at the section level (text, data, rodata)