One approach to protect distributed systems implemented with mobile code is through program obfuscation. Disguising program intent is a form of information hiding that facilitates tamper proofing. By hiding program intent, adversaries are reduced to non-semantics attacks such as blind disruption or operating system level attacks (e.g. buffer overflows). In this paper, we amplify the Barak result to observe that the Virtual Black Box (VBB) program obfuscation model is fundamentally flawed for useful analysis. We provide an alternative framework for establishing and evaluating program intent protection mechanisms to impede software tampering. Our model reflects more modest goals than VBB. Rather than considering a comprehensive obfuscation view, we detail broad threat classes and propose mechanisms to counter those threats. We then illustrate our model with a protection proof and outline extensions to our results.