Refactor broker to be resistant to prototype poisoning

[lawnsea]

James Mickens pointed out in the Q&A of my Usenix talk that the broker is vulnerable to prototype poisoning by guest code. The simplest solution to this problem is to push policy validation back to the monitor and refactor the broker to not rely on any functions that guest code can modify.

1. Move policy validation back to monitor
2. Cache references to any native functions used by the new broker