Although program obfuscation has been widely considered in cryptographic literature, it has been shown that software only obfuscation of general programs is impossible. In this work, we assume the existence of stateless tamper proof hardware tokens to achieve program obfuscation. From a theoretical perspective, we construct an obfuscation scheme for RAM programs using stateless hardware tokens. We outline a proof of security for our construction under a UC simulation notion. From a practical perspective, we implement a complete and real hardware system using stateful hardware tokens, called HOP, which can be used to execute an obfuscated program. We show that HOP incurs overhead of 8x ∼ 76x over an insecure system, and performs 5x ∼ 238x better than a baseline hardware obfuscation scheme across simple to sophisticated programs. We also demonstrate how HOP incurs only 2x ∼ 41x slowdown to prior oblivious computation hardware schemes that do not guarantee program privacy. HOP exemplifies a new approach of designing secure processors with matching formal abstractions that allow the consumer to think of the hardware token as a trusted third party.