Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed.

Abstract: In some examples, a computing device can include a processor resource and a non-transitory memory resource storing machine-readable instructions stored thereon that, when executed, cause the processor resource to identify a base resolution of a captured image having a base image quality, perform, via an individual neural network, neural network calculations on the captured image to form an enhanced image having an resolution that is higher than the base resolution and image quality that is higher than the base image quality.

Abstract: In one example in accordance with the present disclosure, an electronic device is described. An example electronic device includes a processor and memory storing executable instructions that when executed cause the processor to generate multiple synthetic images of an object based on defined object parameters and randomized visual parameters. The instructions also cause the processor to generate annotations of the object in multiple synthetic images based on the defined object parameters and the randomized visual parameters. The instructions further cause the processor to train a machine-learning (ML) model for detecting the object using the multiple synthetic images and annotations.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: Computing systems, devices, and methods of dynamic image composition for container deployment are disclosed herein. One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: In some examples, a non-transitory computer-readable medium stores executable code, which, when executed by a processor, causes the processor to receive a video of at least part of a human torso, use a neural network to produce multiple vector fields based on the video, the multiple vector fields representing movement of the human torso, and determine a respiration rate of the human torso using the multiple vector fields.

Abstract: Examples of methods for image enhancement are described. In some examples, a method includes segmenting an image into an object region and a background region. In some examples, the image has a first resolution. In some examples, the method includes generating, using a first machine learning model, an enhanced object region with a second resolution that is greater than the first resolution. In some examples, the first machine learning model has been trained based on object landmarks. In some examples, the method includes generating, using a second machine learning model, an enhanced background region with a third resolution that is greater than the first resolution. In some examples, the method includes combining the enhanced object region and the enhanced background region to produce an enhanced image.

Abstract: To provide a hierarchical visual paradigm while maintaining the communication advantages of sibling extensions, a visual hierarchy simulation extension generates and maintains placeholders in a visually hierarchical manner, with the visual positioning of such placeholders informing the visual positioning of overlays of frames hosting the visual output of sibling extensions. Such a visual hierarchy simulation extension is utilized to layout and establish a desired visual hierarchy. One or more modules of computer-executable instructions are invoked to provide the relevant functionality, including the obtaining of the visual positioning of placeholders, the relevant visual translation between the visual positioning of placeholders and the visual overlaying of corresponding frames, the generation and movement of the corresponding frames, and the instantiation of extension content within the corresponding frames. The visual hierarchy simulation extension is hosted independently from the one or more modules.

Abstract: Techniques of deferred container deployment are disclosed herein. In one embodiment, a method includes receiving, at a computing device, a container image corresponding to the container. The container image includes a first set of files identified by symbolic links individually directed to a file in the host filesystem on the computing device and a second set of files identified by hard links. The method also includes in response to receiving the container image, at the computing device, storing the received container image in a folder of the host filesystem on the computing device without resolving the symbolic links of the first set of the files until runtime of the requested container.

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

Abstract: Computing systems, devices, and methods of dynamic image composition for container deployment are disclosed herein. One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: To provide a hierarchical visual paradigm while maintaining the communication advantages of sibling extensions, a visual hierarchy simulation extension generates and maintains placeholders in a visually hierarchical manner, with the visual positioning of such placeholders informing the visual positioning of overlays of frames hosting the visual output of sibling extensions. Such a visual hierarchy simulation extension is utilized to layout and establish a desired visual hierarchy. One or more modules of computer-executable instructions are invoked to provide the relevant functionality, including the obtaining of the visual positioning of placeholders, the relevant visual translation between the visual positioning of placeholders and the visual overlaying of corresponding frames, the generation and movement of the corresponding frames, and the instantiation of extension content within the corresponding frames. The visual hierarchy simulation extension is hosted independently from the one or more modules.

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

Abstract: To provide a hierarchical visual paradigm while maintaining the communication advantages of sibling extensions, a visual hierarchy simulation extension generates and maintains placeholders in a visually hierarchical manner, with the visual positioning of such placeholders informing the visual positioning of overlays of frames hosting the visual output of sibling extensions. Such a visual hierarchy simulation extension is utilized to layout and establish a desired visual hierarchy. One or more modules of computer-executable instructions are invoked to provide the relevant functionality, including the obtaining of the visual positioning of placeholders, the relevant visual translation between the visual positioning of placeholders and the visual overlaying of corresponding frames, the generation and movement of the corresponding frames, and the instantiation of extension content within the corresponding frames. The visual hierarchy simulation extension is hosted independently from the one or more modules.

Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed.