filter out privileged instructions

[Kyle-Kyle]

Description

angrop is designed for userspace ROP chain generation and should not include privileged instructions in the ROP chain. We should add a filter in the architecture-specific configurations.

Steps to reproduce the bug

No response

Environment

No response

Additional context

No response

[astewart-bah]

Would it be possible for this to be user configurable?

[Kyle-Kyle]

Would it be possible for this to be user configurable?

Of course it is possible. But I'm curious what's your use case? Are you actually trying to use angrop generated payload in privileged context? Or are you just using it for gadget searching?

[astewart-bah]

We are currently using angrop for both gadget analysis and chain building of userspace binaries.

My current use case does not need to use privileged instructions. I am the user that posted the iretd question in the angr slack. The privileged instructions are causing my current issues. However, when thinking about your comment "since currently angrop is designed only for userspace programs, it makes sense to filter out privileged instructions", it occurred to me that this might not always be the case. My research might include kernel space in the future.

[Kyle-Kyle]

So. It seems that iret is not a privileged instruction as documented in https://www.uops.info/xml.html. What I proposed is not a great solution to the problem. I'll just filter out iret in user_mode as a monkey patch then: https://github.com/angr/angrop/compare/master...wip/chainbuilder_refactor

[Kyle-Kyle]

the code is merged in https://github.com/angr/angrop/commit/285786d608d42e6da8affc3d1d4ede94c98a4d1a